E:
http://taint.org/2007/08/15/004348a.html
Rob McEwen
, when you said, "too many false positives", are you referring
to FPs from *before* that transformation of SpamCop? Or, are these
*recent* FPs, spotted after that transformation?
(Also, I'm not trying to argue... just trying to learn... and seeking
clarity!)
Rob McEwen
es caught off-guard regarding SA's dnsbl
implemenations.
Rob McEwen
possible for a DNSBL to have far fewer
listings, but, in "real world" testing, hit on higher numbers of spams
with less FPs.
Rob McEwen
Therefore, they should do
outbound filtering even on authenticated mail.
Otherwise, SMTP password-authenticated e-mail should almost always not
be filtered, or be minimally filtered.
Rob McEwen
listings
ivmURI has 233K listings
But those numbers don't tell the whole story. ivmURI stands up quite
well when measuring real world "hits" on spam sent to real users. When
measured in the real world, ivmURI compares quite well in
head-to-head-to-head tests against SURBL and URIBL... even with it's
smaller footprint... and ivmURI is at least as good in the low-FPs
department.
But, like I said, ALL three lists are indispensable and block spam that
the other two miss.
Rob McEwen
ere is your access coming from?
ALSO: Does this mean that I now am not allowed to make the official
invaluement.com site launch announcement on the URIBL list? ...I hope
not... then again, we might all be old and gray by the time that happens :)
Rob McEwen
tructions as well
as my now-finalized price list (the same one that will be posted on my
web site soon).
Thanks for your interest!
Rob McEwen
that requires a big solution.
Knowing what you're up against in creating a URI blacklist might seem
discouraging in the short term, but might give you the proper long-term
focus and patience you need to really pull this off.
Best wishes for your success in this endeavor!
Rob McEwen
(creator of the "invaluement.com" DNSBLs, ivmURI & ivmSIP)
t the time your spam arrived.
Any other IPs to check?
Rob McEwen
se
you to miss out on a good thing he has going with his HostKarma lists.
Sure, it is fun to make fun of Marc. But don't be fools yourselves and
miss out on a good thing! Some of his ideas that are lampooned really do
work.
Rob McEwen
forge, right?
And can you give examples of IPs used to send official PayPal messages
that are not on that list I sent?
Rob McEwen
ssages? Is there some way to whitelist based on
something other than the From address?
Michael,
Try whitelisting the actual sending IPs of PayPal:
SEE:
http://www.senderbase.org/senderbase_queries/detaildomain?search_string=paypal.com
Rob McEwen
pam filter all together in one package).
Rob McEwen
replace with those IPs you gave as examples... and depending on which
list I said that an IP was listed on)
Also, look in SmarterMail to see if there is a place where you can
specify the DNS server.
Rob McEwen
[EMAIL PROTECTED]
sion forum specifically about
SmarterMail.
It looks to me like you have some kind of DNS malfunction...or
SmarterMail malfunction.
Rob McEwen
[EMAIL PROTECTED]
out each message and this didn't change my conclusions.
--Rob McEwen
ZEN and SpamCop, assuming that those two lists are implemented correctly
and are scored such that either one alone scores high enough in your
system to outright block an incoming spam.
Rob McEwen
[EMAIL PROTECTED]
t is really happening... are these
REALLY being missed by ALL those lists?? ...Or are these REALLY being
used (and scored?) properly by your filter??
Those questions can't be answered without some examples.
Thanks!
Rob McEwen
[EMAIL PROTECTED]
t he does a jam up job with his web site... He
is a true expert in this field and gives very good advice. His web sites
are chalk full of excellent analysis and review. Highly recommended!
(Though his site would do better if he factored in "unique" catches
among the 1st tier extreme-low-FP lists.)
Rob McEwen
[EMAIL PROTECTED]
ains missed by both
SURBL & URIBL, while being more FP-safe and more reliable than DOB.
FOR EXAMPLE, SEE:
http://invaluement.com/results.txt
Unlike all of these other dnsbls I've mentioned, ivmURI does requires a
subscription for access. Contact me off-list for more details and for a
free trial.
Rob McEwen
[EMAIL PROTECTED]
from these IPs to those who use ivmSIP have been blocked.)
FINAL NOTE: ivmSIP seeks to be a supplemental list focused mostly on new
series of spams... and purposely skips out on listing spammer's IPs that
have been in circulation for more than X number of weeks/months...
therefore, Zen is going to list many IPs that ivmSIP isn't even trying
to list. So ivmSIP is NOT trying to be a Zen replacment, but, instead,
more of a supplement.
Rob McEwen
ng thousands of dollars per year.
But when someone says that all DNSBLs should be "free", and implies that
those operating "for profit" DNSBLs are "shady", I'm left feeling angry
and frustrated. Running a DNSBL is a risky, time-consuming, and costly
business (particularly if the DNSBL is of world-class quality.)
Rob McEwen
nds of hours of his unbillable time
helping ALL of our spam filters to be better via his efforts with SURBL
(and elsewhere).
DNSBL operators like Jeff (and others) are NOT the Energizer Bunny!
(BTW - really, more ISPs need to move to RSYNC... and we should ALL be
running local DNS caching servers)
Rob McEwen
?
(Also, at one point, you mentioned SURBL... but that was a typo and you
are talking about URIBL, correct?)
Rob McEwen
off). Second, there are other techniques to catch
the balance besides bayes. For example, there might be some RBLs (and
URI blacklists) that you aren't using which may be helpful. Not all of
the good ones are included in the default setup for SA.
Rob McEwen
Better yet, avoid being a victim of dns hijacking by accessing SURBL &
URIBL (and other dnsbls!) via RSYNC. If implemented correctly, this will
result in performance gains as well!
--Rob McEwen
;t bypassed for SMTP AUTH connections.
This is a fundamental flaw in your architecture. Until you fix this,
you'll get FPs with almost all of the best RBLs that other mail
providers use on large networks every day with virtually zero FPs. The
problem is your configuration, not with the RBLs.
decent percentage of **additional** spam even if the
other four lists were already in use prior to adding that fifth list.
Lists that have zero FPs, but don't find any additional Spammer's IPs
didn't make that list.
Rob McEwen wrote:
John Rudd wrote:
Spamcop: no. Don't use t
I'm not privy to the inside details, but they must have
made some dramatic changes. Therefore, whatever bad FP reputation
they've earned over the years should be erased and they should be
reassessed.
Rob McEwen
7;s spam filtering environment. These couldn't be used "out
of the box" without some configuring of various programs on one's
server. Something else to ponder.
I hope this is beneficial and helps future SA versions! Doing all of
this, I believe I've taken the "RBL" portion of my spam filtering to a
level that is beyond what many thought possible.
Rob McEwen
from having to limit
subscriber's data update frequency, as many others lists are forced to
do to keep their RSYNC servers from getting overloaded from TONS of
"free subscribers".
Therefore, I recommend that you re-think your choices here! Don't let
your quest for "guaranteed long-term perfection" keep you from making
**substantial** progress today!
Rob McEwen
e much more safe for outright
blocking... particularly ivmSIP.com, which a FP rate that is almost low
as the FP rate of SpamHaus's lists.
Rob McEwen
Dan Mahoney, System Admin wrote:
Message at bottom.
I checked on this email. My system is right: it is an spf soft-fail.
At this point, nine
random aliases are used in the
FROM address then the database for this server could grow unbelievably large
to a point where it would be rendered useless. Also, this would also be a
valuable resource for spammers to verify addresses in their own address
lists! So... forget that idea!
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
spam run?
Therefore, I suppose that SAV is relatively harmless if fewer and smaller
ISPs use it... but it could cause many problems if more widely adopted. It
fails the "what if everyone were doing this" test.
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
le triggers and I'm catching (I think?) all
of these without any chance for a FP. So far, I haven't seen this rule miss
any of this series.
Perhaps there is some equivalant functionality in SA?
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
g SpamHaus for some days or weeks.
(and my FP rate is just about as good as SpamHaus's... and constantly
improving!). Just let me know and I'll tell you what to do to get started.
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
more like this! (Still taking testers, if anyone
is interested!)
Rob McEwen
PowerView Systems
(478) 475-9032
[EMAIL PROTECTED]
-Original Message-
From: "Jari Fredriksson" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>, "SpamAssassin"
Date: 07/31/07 21:
e of the more shrewd spammers who have learned well how to
listwash and/or are more shrewd in how they gather their addresses in
the first place.
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
THEN I'll
tell you more about how it works!)
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
FWIW, I'm showing uribl.com resolving to 127.0.0.1 at the moment
(A tactic to deal with DOS???)
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
-Original message-
From: Chris Santerre [EMAIL PROTECTED]
Date: Wed, 06 Jun 2007 15:11:17 -0400
To: "'Ken A'"
headers, not just the
sending server IP. Sure, the percent of XBL FPs generated
wouldn't be nearly as high as PBL, but still too high!
Did you mean to say, "SBL is fine for that." ??
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
perfect world...
...but checking against OTHER IP addresses in the header messes
this all up.
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
re often sent via mailservers which will easily bypass graylisting
due to retries.
Also, in general, these are also among the most difficult types of spams
to catch.
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
FUN PROJECT:
Help Rob McEwen test his new anti-spam tools!
As many already know... I'm one of a **small** handful of organizations with
authority to blacklist and whitelist "at will" on SURBL and I've provided
much administrative assistance to SURBL for years, particularly
said, it is
fully win32 "native", no unix emulation.
Might not be exactly what you wanted, but very, very close.
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
of
my filtering is custom written and I'm beating SA's "out of the box"
configuration by a wide margin.
E-mail me directly (off-list) if you are interested and for pricing!
Rob McEwen
[EMAIL PROTECTED]
-Original Message-
From: Kelly Jones [mailto:[EMAIL PROT
t an alias set up on that domain? in other
words, "catch-all" accounts? I thought that just about everyone has moved away
from "catch-all" accounts due to dictionary attacks.
I was thinking, isn't recipient verification a "given"??!!
Surely, I must be confused! Please clarify.
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
blocked as spam? In other words, for this to be an effective
strategy, wouldn't it ALSO need to be true that these stats are NOT typically
the case for images in legit e-mail?
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
(478) 475-9032
rams are currently
accessing (in "read" mode)?
Thanks!
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
e topic or question
was deemed too off-topic for the Spam Assassin List.
Does anyone recalll what those were (or have any good suggestions about this?)
Thanks!
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
hat 4 probably equals CBL and 5 probably means NJABL
...but what do 6, 7, and 8 represent?
I'm hoping that one of these three will represent **both** CBL and NJABL. And
I'm curious about all of these!
Thanks!
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
> -Original m
RE: Spamhaus's Zen list
Speaking of which, does anyone know what **exactly** the following xbl-derived
return codes represent on the Zen list
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
(478) 475-9032
-Original message-
From: snowcrash+spamassassin [EMAIL PROTECTED]
Date: Sa
ave been a great tool 2-3 years ago. Oh well.
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
ussion about it on the SA
list been "clamped down" with "off-topic" complaints.
Rob McEwen
om, some really good questions, and a few "heads ups" in
some of those threads... stuff which I believe helped SURBL... and I think
SURBL would have suffered had someone, early on, said, "keep this off the SA
list since it is off-topic"... which further backs up my original point.
he and I are about as polar opposite
in our political and "world-views" as two people can get... but I think
he has some great ideas about spam filtering and I like the way that he
"thinks outside the box".
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
Suggestion:
Rename your plugin to "AntiBotnet"
(or something like that)
Otherwise, I could see someone getting the "good guys" and "bad guys" mixed
up when reading or hearing about this!
Rob McEwen
ticular rDNS lookups.
(I use SA as a "helper application" to compliment my own spam filter)
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
-Original message-
From: Stuart Johnston [EMAIL PROTECTED]
Date: Mon, 20 Nov 2006 16:02:43 -0500
To: users@spamassassin.apache.org
Subject
run this check, correct?
If there anything ELSE that should be done to tell SA to NOT do any other
network or DNS checking (and NOT do an rDNS lookup!), except still do DCC and
Razor checking?
Thanks!
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
maybe there is still more going on via DNS that
I realize?)
Thanks!
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
ant to mention this in the first place
because if they are adjusted at the SARE site, then the spammers will only
readjust accordingly!)
Rob McEwen
PowerView Systems
In the meantime, it sure would be nice if that new ruleset that Chris bragged
about could get on the SARE website ASAP.
(Where are you Doc Schneider? I hope we haven't caught you on a busy day.
Please hurry.)
Rob McEwen
PowerView Systems
g to be
compared with a spammer.
--Rob McEwen
ntly, murder
journalist who disagree with the gov't), Venezuela, any African country who
changes gov't via coup every few years (which is just about all of them),
and ANY Muslim country where those who doesn't worship Allah are persecuted
(and this is the majority of them!).
Do you really want THEM in charge of the Internet?
Rob McEwen
> The last few weeks I have noted (angry users calling me by phone) that
> the server is really slow.
Don't know for sure, but I suspect slower than usual Razor and/or DCC servers?
--Rob McEwen
ing really
>helps in these cases.
Jon, please tell me, what portion of your overall spams attempt to comes in
through this secondary MX compared to all spam that you catch which are headed
to your primary MX record.
THAT is what I most wanted to know.
Thanks!
Rob McEwen
PowerView Systems
Also, has anyone ever seen ANY legit mail go to the highest MX record when
no mail server failure occurred?
Thanks!
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
(478) 475-9032
Recommended Commercial DNS Services?
I’m looking for suggestions for reliable outsourced
DNS services where the servers aren’t overloaded, the prices are
reasonable, and the service & control panels are tops.
Any suggestions?
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
ook since this is
not provide by Microsoft.
Let me know if I'm wrong about any of this.
I hope this helps!
--Rob McEwen
people use Outlook Express and it would be great to
have a "SpamAssassin Coach" for Outlook Express as well.
--Rob McEwen
ig bank who seem to think I'm the one who has lost his mind... So I
was hoping for to feedback to make sure that I'm not the one who is crazy
here!
Rob McEwen
black" or "white"... or, better yet, how
would you suggest treating a "yellow" return code compared to a "not found"
return code?
Thanks!
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
> Usually they're the typical viagra or stock scam.
Text or image spam?
If text, do they include a URL that might be caught by SURBL or URIBL?
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
is that if these fall within a narrow range, then that might
make it more wise to scan outbound mail.. but to do so using a limited range of
types of scanning to minimize resources... targetting just the types of spams
that are being sent by these types of trojans.
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
(478) 475-9032
or bounce them back if there detected as spam.
Tom,
Don't you require password authentication as a prerequisite for users being
allowed to relay message through your server? (and I'm always wondering if this
is enough protection from trojans?)
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
isn't something that changes that much minute to
minute.
There still remains the question about what **exactly** should the numerator
and the denominator be when calculating that percentage? Any ideas yet?
Rob McEwen
PowerView Systems
t;250" the 15% "just barely caught
stuff"... but then I take full responsibility for that 15% and do extensive
auditing on it (mostly through automated tools) so that I can be confident
that I haven't created FPs (and so that I can deliver rare FPs in a timely
manner, as well as adjusting the filtering to prevent future FPs)
Hope this helps!
Rob McEwen
PowerView Systems
are?
This is almost like "The Twilight Zone"...
Either
(1) I have gone insane
(2) GFI has made a critical error in the fundamentals of their architecture.
Please read that post above and let me know which is the case.
Thanks!
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
header and my client's IP is blacklisted.
Unbelievable.
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
(478) 475-9032
66.135.215.231-240
216.113.168.128
216.113.168.139
216.113.184.201-203
216.113.188.96
216.113.188.112
216.113.188.202
But I make no guarantees about this list. Please correct me if there are any
errors or omissions. Use at your own risk.
Rob McEwen
PowerView Systems
uestioned/percent not questioned) factored
in... knowing that if someone submits thousands of true 419 scams at some
point, a few of these will be questioned)
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
e a more
comprehensive list with faster turnaround?
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
make this additional rule **subtract** points... either the same or a
little less than the amount of points added by the obfuscation-catching rule,
depending on whether you want to leave a little bit of score in there for the
correctly spelled instances or cancel it out altogether.
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
except that Kofi is
much dumber and not nearly as powerful as Palpatine... (at least not yet).
So be careful about anything the U.N. might come up with to "rescue" us!
Rob McEwen
PowerView Systems
utright blocking... but, yes, SORBS is a bit more risky for FPs than the
others I've mentioned.
But I do use all of these as "factors" which I weight into the score.
(and I think that the warning from www.dnsstuff.com has more to do with
people "outright blocking" based ONLY on that one RBL's results)
--Rob McEwen
ding out thousands of messages which attempt to
"look" hand-typed and personalized. But... come on... these are
easily spotted and form a pattern that distinguishes itself from a real hand
typed personalized message.)
Rob McEwen
PowerView Systems
answer but doesn't have SA source code handy)
Thanks again!
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
#x27;s list of "two level
TLDs"?
Thanks!
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
ode:
http://physics.ucsd.edu/~epivovar/anti-spam.htm
I've found this "fully win32" port to be very stable in my testing... but I
haven't yet "battle tested" it.
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
e you feel VERY assured that you'd
NEVER see spam from that remote IP address)
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
(478) 475-9032
ns even if/when SURBL/URIBL, Razor/DCC, and RBL lookups are ALL turned
off?
(for example, suppose that if ALL of these I mentioned above turned off, "No
rDNS" is still tested for. If so, then "No rDNS" would be an example of what
should be on the list that answers my questi
x27;m fairly sure that it does NOT turn off DCC, Razor, Pyzor, etc, right?
But what else is effected?... is there a comprehensive list or a more detailed
explanation anywhere?
Thanks,
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
right to deny access, but overall welcome
participation. (For example, I suggest that no one start marketing a desktop
software solution and think they could use Razor for such an application!!! But
otherwise, there are really no restrictions, as I understand it.)
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
(478) 475-9032
I'd love to know if you find that this
native win32 port is faster at processing the messages.
http://physics.ucsd.edu/~epivovar/anti-spam.htm
btw - I'm going to post a new thread about this because I think it is deserving!
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
(478) 475-9032
ways mean better performance... I've
seen many web sites that deliver content dynamically from a SQL database
backend where there were noticeably large delays between page loads, for
example.
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
ta from the forensics lab.
However, this time, I do think you've taken this DNS blacklist thing way too
far. You have to consider the consumers of the DNS list as well.
Overcomplicate this and few will ever get it to work effectively.
:)
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
ization and as being frequently used, that might be a good IP
address (or IP address range) for whitelisting to prevent it from ever showing
up on your RBL.
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
was joe-jobbed
would have just about 0% chance of showing up in a particular server that
happened to use this service. Especially give the incredibly low percentage of
servers which might potentially use this anytime in the next months or years.
Rob McEwen
PowerView Systems
[EMAIL PROTECTED]
It could actually be a benefit if/when the e-mail address account was
terminated because this could keep the overall size of the list smaller. I
wonder if there is some automated way to check this getting in trouble for
spamming or abusing the free hosting service?
Rob McEwen
PowerView Systems
201 - 300 of 374 matches
Mail list logo
