getting emails with illegal chars in the headers?
then add this to local.cf:
score RP_8BIT 0
Thierry Bagnoud
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Best Intrusion Prevention Product, Networks Product Guide
cpu, step software. only minor differences
would be.. well, not even the exact set of rules. but can re2c randomly
compile something different depending on internal cpu cache?
only two of them had a problem.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP
On 3/21/11 4:20 AM, Ralf Hildebrandt wrote:
* Michael Scheidellmichael.scheid...@secnap.com:
So it is an intel 32 bit thing or a perl 5.12?
I'm seeing it on intel 32 bit with perl 5.10.1
works for me on intel 32 and perl 5.10.1.
strange, very strange.
--
Michael Scheidell, CTO
o: 561-999
On 3/21/11 11:13 AM, John Hardin wrote:
Nope, that probably isn't the pill_price rules then. They were added
on feb 13 rev 1070308.
then they were updated? why didn't anyone have problems (100% cpu,
loops, swap filling up) till this weekend?
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561
and
tiny url . com?
Ah, no.
I mean URLs pointing to different address than they appear, like:
a href=phishing.site/fake/webmailhttp://webmail.example.com//a
CLAMAV.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Best Intrusion
' and see if you have these enabled:
PhishingSignatures = yes
PhishingScanURLs = yes
PhishingAlwaysBlockCloak = yes
PhishingAlwaysBlockSSLMismatch = yes
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Best Intrusion Prevention
Works here, compiled rules, freebsd 7.3, amd64, perl 5.10, re2c, 0.13.5
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Best Intrusion Prevention Product, Networks Product Guide
* Certified SNORT Integrator
* Hot Company Award
So it is an intel 32 bit thing or a perl 5.12?
--
Michael Scheidell
CTO SECNAP Network Security
561-948-2259tel:5619482259
-Original message-
From: Lee Dilkie l...@dilkie.com
To: Michael Scheidell michael.scheid...@secnap.com
Cc: users@spamassassin.apache.org users
On 3/20/11 10:50 AM, Matt Elson wrote:
On 3/20/11 10:28 AM, Michael Scheidell wrote:
So it is an intel 32 bit thing or a perl 5.12?
I'm having the problem on an Intel 32-bit Linux machine running 5.8.8
with the same version of re2c, so it looks like the common thread is
Intel 32 bit + re2c
://issues.apache.org/SpamAssassin/show_bug.cgi?id=6558
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Best Intrusion Prevention Product, Networks Product Guide
* Certified SNORT Integrator
* Hot Company Award, World Executive Alliance
2.6.4, running compiled rules.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Best Intrusion Prevention Product, Networks Product Guide
* Certified SNORT Integrator
* Hot Company Award, World Executive Alliance
* Best
On 3/16/11 11:50 PM, Warren Togami Jr. wrote:
Karsten, thanks for pointing out that this is the same guy. I had
missed that.
Warren
Ditto. I was about to tell him how to stop spear phishing.
thanks.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP
didn't run my one listserver, I would use theirs.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Best Intrusion Prevention Product, Networks Product Guide
* Certified SNORT Integrator
* Hot Company Award, World Executive
to fix spamassassin in your network is to remove it. disable
it. you are using it wrong, and no one can help you if you don't listen
to the experts.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Best Intrusion Prevention
to watch what is actually being sent to SA.. they fix your MTA
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner
On 3/3/11 12:43 PM, Benny Pedersen wrote:
why not check_dkim_invalid(foo) ?
because if you, your isp, them, their isp, your dns provider, their dns
provider have a problem, and you can't look up the public key, you just
blacklisted them.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561
pass.
meta __RFC_IGNORANT_ENVFROM (0)
for completeness, you can include:
score DNS_FROM_RFC_BOGUSMX 0
score __DNS_FROM_RFC_POST 0
score __DNS_FROM_RFC_ABUSE 0
score __DNS_FROM_RFC_WHOIS 0
score DNS_FROM_RFC_DSN 0
score DNS_ABUSE_POST 0
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN
it.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email Security,2010: Network Products
exchanger for a
domain.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best
/local/lib/perl5/site_perl/5.10.1/Mail/SpamAssassin/Plugin/DCC.pm
no dcc_add_header in the plugin.
and stop will the piss yellow background.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9
Office: (561) 999-5000 x:1235
Direct: (561) 948-2264
*From:*Michael Scheidell
*Sent:* Thursday, February 10, 2011 12:25 PM
*To:* John Meyer
*Cc:* Jonathan Scheidell; Anthony Wetula
*Subject:* Re: alert: New event: ET EXPLOIT Possible SpamAssassin Milter
Plugin Remote Arbitrary Command Injection
with
dynamic-looking rDNS
1.0 NO_REAL_NAME NO_REAL_NAME
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner
is no way for
anyone else to recover it. a shame considering.
I wonder how much of the 'allocated' ipv4 is abandoned?
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award
to last owner' junk!
if you DIDN'T keep it, do you remember what it was? checked it lately?
probably still in your old company's name.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot
as it would never
answer port 25), etc
yes, selecting a RANDOM ip would be bad. someone might put an smtp
server on that ip.
allowing anyone who is NOT under contract to you to potentially access
your inbound email could violate privacy laws in several geopolitical
regions.
--
Michael
On 2/4/11 5:42 AM, Mark Martinec wrote:
On June 8, 2011, dubbed World IPv6 Day, participants will enable
IPv6 on their main services for 24 hours.
fug!
anyone remember when you were only allowed one domain per company?
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
this experimental 'twisted pair'
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
or something?
Gotta tell you, that sure made searching for source code easy.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five
-attack-full-report/
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email
doesn't match RDNS.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email
by foreign host.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email
on the abuse complaint)
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email
.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email Security,2010: Network
mailto:certificat...@returnpath.net. to report abuse. not 'abuse@'
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner
On 1/26/11 7:59 AM, Michael Scheidell wrote:
you send email to certificat...@returnpath.net
mailto:certificat...@returnpath.net. to report abuse. not 'abuse@'
heads up JD:
auto ack comes from a ip not listed in RP's SPF records.
might be mistaken for a joe job some day. might want to list
25_uribl.cf:urirhssub URIBL_DBL_ERROR dbl.spamhaus.org. A
127.0.1.255
something like this?
header DNS_FROM_DBL
eval:check_rbl_envfrom('dbl','dbl.spamhaus.org.','127.0.1.2')
tflags DNS_FROM_DBL net domains_only
score DNS_FROM_DBL 2.0
--
Michael Scheidell, CTO
o: 561-999-5000
d
of putting on a 2000 user box, got hits. (just using
_sender)
looked up the sender's name and found 27 spams sent today that SA had to
deal with (no more!)
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
On 1/19/11 6:04 AM, Helmut Schneider wrote:
bayes_auto_expire 1
disable auto expire and run a cronjob.
make sure you run the cronjob for each user in bayes.
mysql mail -AssBbe 'select username from bayes_vars'
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
On 1/19/11 7:56 AM, Helmut Schneider wrote:
Michael Scheidell wrote:
On 1/19/11 6:04 AM, Helmut Schneider wrote:
bayes_auto_expire 1
disable auto expire and run a cronjob.
OK...but..why? :)
to fix your problem.
plus auto expire can seriously degrade the performance
bayes and reimport.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email
.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email Security,2010: Network
local ip addresses in internal_networks.
you will avoid unnecessary rbl lookups, spf failures and it should set a
ALL_TRUSTED flag also.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9
On 1/5/11 4:52 PM, Michael Monnerie wrote:
server88-208-245-26.live-
servers.net
botnet is NOT an stock SA rule
plus, look at the silly DYNAMIC RULE LOOKING rdns.
fix rdns.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
does NOT block spam. it only 'MARKS it'. if
your users are getting spam with '***SPAM***' in the subject line, then
SA is working.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot
Funny thing, and I think John Levine remembers 1994:
OH MY GOD, THE INTERNET WENT COMMERCIAL, with all these new computers,
its the end of the internet.
and the oft quoted:
Breaking Story: Death of the Internet, gif at 11
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259
of compromised accounts.
If they didn't, then it will cause FP's if used at mta level.
We are evaluating spamhaus.org commercial feed right now, and have a
never gotten a FP so far. some FN's (hint: verizon's new 4g network has
a new /10 block that isn't in spamhaus.org pbl yet.)
--
Michael Scheidell
On 1/3/11 10:49 AM, Ned Slider wrote:
On 03/01/11 15:41, Michael Scheidell wrote:
some FN's (hint: verizon's new 4g network has
a new /10 block that isn't in spamhaus.org pbl yet.)
Please share so we can consider adding it locally.
a spot check of rdns shows 'ddd.sub-ccc-bbb-aaa.myvzw.com
to harvest web sites for
email addresses, so, changing it would be good.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star
of this list and was trying to help you.
you will get exactly what you paid for when you installed spamassassin.
or, are you new to opensource software and support?
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT
)$/) {
+$self-{force_ipv4} = 'yes';
+ }
+ elsif ($value =~ /^(?:no|0)$/) {
+$self-{force_ipv4} = 0;
+ }
+ else {
+return $INVALID_VALUE;
+ }
+}
+ });
+
=back
=head2 LEARNING OPTIONS
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259
. you
should vpn to your office, use your isp's ip's or use exchange, or
submit (again, to your office)
Thanks spamhaus for helping keep us safe! All the more reason to use
xbl,pbl and zen.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network
On 12/17/10 11:04 PM, Ted Mittelstaedt wrote:
It's shit-for-brains young girl administrative assistants at companies
who are our customers who apparently have too much time on their hands.
Don't hold back,.. how do you REALLY feel about outlook stationary?
--
Michael Scheidell, CTO
o: 561
, then cisco), it
will blacklist aol and yahoo addresses on occasion. so, DON'T use it in
prequeue.
Apologies.
C
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner
.
Can anyone add insight as to how this is happening?
http://pastebin.com/WYYLpEJh
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
On 12/8/10 2:46 PM, John Hardin wrote:
On Wed, 8 Dec 2010, Toni Mueller wrote:
I tried the high MX for some time, but in my experience, spammers
usually only hit the first two MXes.
I wonder what Marc Perkel's experience in this regard is...
You just had to stir up the ants.
--
Michael
On 12/8/10 6:52 PM, Marc Perkel wrote:
punish the spammers.
and, punish any senders who follow the RFC's.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner
-Original Message-
From: Michael Scheidell
Sent: Saturday, November 06, 2010 2:59 PM
To: users@spamassassin.apache.org
Subject: Re: Spamhaus Whitelist
found out that below is a violation of the specs, and is NOT recommended
to be used.
I would assume that the specs detail tighter
response from Spamhaus DWL
50_scores.cf:score DKIMDOMAIN_IN_DWL 0 -3.5 0 -3.5
50_scores.cf:score DKIMDOMAIN_IN_DWL_UNKNOWN 0 -0.01 0 -0.01
looks like it combines an rbl check with a check for a valid dkim signature.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP
On 12/6/10 3:45 PM, Michael Scheidell wrote:
can we use the askdns.pm for SA 3.3 or do we have some missing
dependencies?
(I noticed some rules in latest couple of saupdates:
I guess I answered my own question:
Dec 6 16:20:21.941 [44960] warn: plugin: eval failed: Can't call method
On 12/1/10 10:37 PM, Karsten Bräckelmann wrote:
On Wed, 2010-12-01 at 20:38 -0500, Michael Scheidell wrote:
On 12/1/10 7:02 PM, Karsten Bräckelmann wrote:
Personally, I have *never* received a legit C/R. Every single one that
ended up on my machines have been in response to spam sent
1994.
How much email do you think you will get if you follow ALL the RFC's?
Oh, lets start a NEW spec that no one will follow. Considering how easy
it is to force senders to follow the current specs.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network
spec, and if anyone wants to send me email they
have to adhere to this new spec.
ITS CALLED THE CURRENT RFC'S.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner
worked to open up that
malware that infected their workstations a while back.
Is it a constant battle of wits between the spammers, hackers, phishers?
yes. But the technology has matured enough in the last couple of years
that its a win able battle.
--
Michael Scheidell, CTO
o: 561-999-5000
to a poster.
Guess what? I got a CR.
Guess what? luser got blacklisted.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star
://secnap.pastebin.com/zTmkSc6J
ps, scored a 3.5 here. by now, hopefully, it scores higher with
razor/dcc/spamcop, urlbl, etc.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company
it the first time, was one of my facebook_forgery rules
looked for spf_pass (didn' t whitelist it!) but didn't add the 5 points
I assigned for forged facebook, twitter,etc.)
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified
, but that clearly fails
here.
SPF is on ENVELOPE address, not header address.
Microsoft's patented 'sender id' (which they don't use) can use either.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
of course, if you miss one spam, and complain, of
course if you block one legit email.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
happened again. 1 out of 100, EXACTLY THE SAME SYSTEMS, DOWN TO MD5
CHECKSUMS ON BINARIES, need to remove INET6 perl module.
On 11/5/10 4:44 PM, Michael Scheidell wrote:
On 11/5/10 4:08 PM, Michael Scheidell wrote:
On 11/5/10 4:00 PM, Mark Martinec wrote:
It certainly looks like a DNS
). but I think the dns
servers may be overloaded. some people are complaining about timeouts.
Thanks for any help
Cheers,
Liam
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot
to receive a
SPAM from a VALID SPF_PASS as well as a SOFTFAIL.
So, SPF works, if EVERYONE FOLLOWS THE RFC'S AND BEST PRACTICES. Where
it fails is when the sender or receiver doesn't follow the RFC's.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network
SPF_HELO_NEUTRAL 0
score SPF_HELO_SOFTFAIL 0
score SPF_NEUTRAL 0
score SPF_SOFTFAIL 0
score FROM_MISSP_SPF_FAIL 0
score TO_EQ_FM_DOM_SPF_FAIL 0
score TO_EQ_FM_SPF_FAIL 0
David.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
, i386/amdf64?
6) did you check to make sure you have the latestest SA and re2c?
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five
On 11/11/10 5:13 PM, Noel Butler wrote:
*and* as an SPF record type, the TXT method is deprecated,
but then again, SA doesn't support SPF record type, only TXT type..
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
.
# host -t a quarantine.spamchek.net
quarantine.spamchek.net is an alias for thorium.enidan.ch.
thorium.enidan.ch has address 212.25.14.40
# host -t a thorium.enidan.ch
thorium.enidan.ch has address 212.25.14.40
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP
urirhsbl SPAMHAUS_DWL _vouch.dwl.spamhaus.org. A
body SPAMHAUS_DWL eval:check_uridnsbl('SPAMHAUS_DWL')
describe SPAMHAUS_DWL Domain is whitelisted by Spamhaus
tflags SPAMHAUS_DWL net nice
scoreSPAMHAUS_DWL -2.5
Set the scores to your own liking.
Bill
--
Michael Scheidell, CTO
o: 561
cached.
from cli, its fine:
time host -t txt _adsp._domainkey.cantv.net
Host _adsp._domainkey.cantv.net not found: 3(NXDOMAIN)
0.000u 0.005s 0:00.00 0.0%0+0k 0+0io 0pf+0w
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
/mail/spamassassin for site rules pre files
Mark
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009
uses the first nameserver from that file.
To turn on debugging in Net::DNS (assuming bourne-like shell):
$ RES_OPTIONS=debug spamassassin -D -ttest.msg
Mark
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified
On 11/5/10 4:08 PM, Michael Scheidell wrote:
On 11/5/10 4:00 PM, Mark Martinec wrote:
It certainly looks like a DNS resolver problem. What is your
/etc/resolv.conf?
The Net::DNS only uses the first nameserver from that file.
To turn on debugging in Net::DNS (assuming bourne-like shell
On 11/5/10 4:44 PM, Jason Haar wrote:
On 11/06/2010 08:39 AM, Michael Scheidell wrote:
debug seems to indicate a DNS problem, but, all 'manual' dns tests
come back immediately (fine)
running a caching dns server, perl 5.10.1, SA 3.3.1. Net::DNS version:
0.66
NOT using ipv6.
your delay occurs
On 11/1/10 10:28 AM, Robert Blayzor wrote:
lock_method flock
Switch to the special mysql bayes. it will also allow you to expire
based on time (with some added table).
sync is dynamic but don't forget the cronjob to expire bayes daily.
--
Michael Scheidell, CTO
o: 561-999
On 11/1/10 1:52 PM, Robert Blayzor wrote:
On Nov 1, 2010, at 10:38 AM, Michael Scheidell wrote:
Switch to the special mysql bayes. it will also allow you to expire based on
time (with some added table).
sync is dynamic but don't forget the cronjob to expire bayes daily.
Unfortunately
$set;
}
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email Security
-4.02.8 Perl module for working with IP addresses and
blocks thereo
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner
version).
and SA 3.2.* has built in support for the results of the ip queries.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star
,
Lawrence Williams
LCWSoft
www.lcwsoft.com
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
On 10/9/10 11:35 AM, Dennis German wrote:
The question is: Has anyone seen unpredictable and different results when
processing the same message?
Sure. if your setup is messed up, you will get unpredictable results.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
, there
is no telling what else they did.
I suppose you can't post the spamd options they use when they start SA?
what about the contents of the ../share/mail/spamassassin directory?
the default local.cf?
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP
circumstances would this happen?
AWL is NOT an 'auto whitelist'. and is not used by default configs
anymore.
instead of including the massive volume of documentation on what AWL is
and is not, just google.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network
.
why not just use something like 'ob.lanyon.com', in your HELO, FQDN, and
make sure that both FWD and RDNS match?
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner
concerned about YOUR system getting better. local learning
(sa-learn) will bring 'spam' into your local bayes.
do both.
help out the community as a whole (spamassassin --report-spam)
and yourself (sa-learn-r)
many thanks in advance
Colin
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948
to spamassassin's web site to see current version.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009
http://secnap.pastebin.com/iVAySSRR
what in the world is outbind?
outbind://24/www.united.com/refunds
(I guess if I click on it on my mac, nothing will happen)
looks like its a MS thing:
http://www.infosyssec.com/forum/viewtopic.php?t=1374
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561
.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star Partner Program 2009, VARBusiness
* Best in Email Security,2010
password and ip address of your server so I can
look at the logs.
Seriously, not without samples of headers that you claim are valid.
better yet, open a bug on bugzilla and document the errors.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security
installs already have db4. I guess maybe, hey, its open
source, get out your flowchart guys and write the db4 module :-)
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
at ebay... envelope from is members.ebay.com. dkim
signature has d=ebay.com
is that what adsp_discard means? that even though the dkim signature
matched, the domain in the envelope from didn't match the domain that
the signature says it signed?
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561
::Server in
/usr/lib/perl5/vendor_perl/5.8.8/Mail/SPF,
you might be overwritting SPF.pm
you might have perl so messed up you need to start all over.
just read the install file, install what is needed, via ports, rpm's,
yum or cpan if none of the above.
--
Michael Scheidell, CTO
o: 561-999-5000
, or a custom rule. disable
all custom rules and rbl's and try again.
--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
ISN: 1259*1300
*| *SECNAP Network Security Corporation
* Certified SNORT Integrator
* 2008-9 Hot Company Award Winner, World Executive Alliance
* Five-Star
201 - 300 of 1049 matches
Mail list logo