date:20100225

Ram wrote on Thu, 25 Feb 2010 17:31:04 +0530:

 how can i stop those kind of emails

11.Received: from unknown (HELO NANQRZBVJZ) (121.100.119.197)

If you allow such a thing to deliver to you you actively ask for spam.
I don't waste SA cycles on such stuff.

Apart from that it seems your SA is outdated and your Bayes is not trained 
well. I don't use any RBL tests and get 20.

X-Spam-Status: Yes, score=20.2 required=5.0 tests=BAYES_50,BODY_8BITS,

CHARSET_FARAWAY_HEADER,FH_FAKE_RCVD_LINE_B,FSL_HELO_NON_FQDN_1,HK_BADNAME,

HK_BADSUBJECT,KB_RATWARE_OUTLOOK_MID,MIME_CHARSET_FARAWAY,MIME_QP_LONG_LIN
E,
RDNS_NONE,UNWANTED_LANGUAGE_BODY autolearn=spam version=3.3.0



Kai

-- 
Get your web at Conactive Internet Services: http://www.conactive.com

Re: Bogus Dollar Amounts

Dennis B. Hopp wrote on Wed, 24 Feb 2010 09:14:58 -0600:

 Obviously I have something going on with my bayes, but that's a separate issue

Indeed. But it's an important issue. If it is that biased for other spam as well
youa re better off to not use it in this state.

X-Spam-Status: No, score=2.8 required=5.0 tests=BAYES_50,HK_MUCHMONEY,
T_LOTS_OF_MONEY,UNPARSEABLE_RELAY autolearn=no version=3.3.0

add your RBL score and it's way over 5.

Kai

-- 
Get your web at Conactive Internet Services: http://www.conactive.com

Re: Off Topic - SPF - What a Disaster

2010-02-25 Thread RW

On Thu, 25 Feb 2010 12:55:50 +0530
ram r...@netcore.co.in wrote:

 On Tue, 2010-02-23 at 18:33 -0800, Marc Perkel wrote:

  I agree. I've been in the spam filtering business for many years
  and have yetto find any use for SPF at all. It's disturbing this
  useless technology is getting the false positive support we are
  seeing.
  
 Marc,
 This is just to repeat the cliche. SPF was not designed to help *you*
 in *spam filtering*. This was designed to help legitimate senders send
 mails. 

Just because it's a cliche doesn't mean it's true:


From the SPF FAQ:

   What is SPF and why is it complicating my life?

Sender Policy Framework (SPF) is an attempt to control forged
e-mail. SPF is not directly about stopping spam – junk email. It is
about giving domain owners a way to say which mail sources are
legitimate for their domain and which ones aren't. While not all
spam is forged, virtually all forgeries are spam. SPF is not
anti-spam in the same way that flour is not food: it is part of the
solution.

SPF was created in 2003 to help close loopholes in email delivery
systems that allow spammers to “spoof” or steal your email address
to send hundreds, thousands or even millions of emails illicitly.

Re: Bogus Dollar Amounts


On Thu, 25 Feb 2010, ram wrote:


http://pastebin.com/6c9sEEn9

i still see lot of junk mail coming with different charecters, i do not 
even read them clearly


how can i stop those kind of emails


Reject languages you can't read at SMTP time?

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  You do not examine legislation in the light of the benefits it
  will convey if properly administered, but in the light of the
  wrongs it would do and the harms it would cause if improperly
  administered.  -- Lyndon B. Johnson
---
 139 days since President Obama won the Nobel Not George W. Bush prize

Re: [sa] Re: Bogus Dollar Amounts

2010-02-25 Thread Charles Gregory


On Thu, 25 Feb 2010, John Hardin wrote:

 i still see lot of junk mail coming with different charecters, i do not
 even read them clearly
 how can i stop those kind of emails

Reject languages you can't read at SMTP time?


I've been noticing more 'foreign language' spams that do not use
a 'foreign' character set and therefore do not trigger the 'faraway' 
rules I don't suppose anyone has developed a generic rule that would 
spot 'foreign language usage in non-foreign charset'?


- C

Re: Bogus Dollar Amounts

2010-02-25 Thread Dennis B. Hopp


Quoting Kai Schaetzl mailli...@conactive.com:


Dennis B. Hopp wrote on Wed, 24 Feb 2010 09:14:58 -0600:

Obviously I have something going on with my bayes, but that's a   
separate issue


Indeed. But it's an important issue. If it is that biased for other   
spam as well

youa re better off to not use it in this state.

X-Spam-Status: No, score=2.8 required=5.0 tests=BAYES_50,HK_MUCHMONEY,
T_LOTS_OF_MONEY,UNPARSEABLE_RELAY autolearn=no version=3.3.0

add your RBL score and it's way over 5.



I agree it's an important issue.  I had turned off bayes autoexpire in  
local.cf and at some point taken the cron job out that did a manual  
force-expire.  Once I did a force expire BAYES_60 triggered rather  
then BAYES_00.


What is the HK_MUCHMONEY rule that you have?  Is that part of the base  
SA installation?


Thanks,

--Dennis

Re: Off Topic - SPF - What a Disaster

Marc Perkel wrote on Thu, 25 Feb 2010 09:29:48 -0800:

 The anti-SPF bandwagon is not ego driven but results driven. Than you 
 for admitting that SPF in not a spam filtering solution. However it is 
 also not a white listing solution because as many people have said here 
 - spammers are the ones who are using SPF correctly.

You make the same mistake again. 
SPF is for assuring that mail with a certain sender domain was sent from a 
mailserver that is allowed to send mail for that domain. Nothing more, 
nothing less. 
It's for instance often used to have mail bypass greylisting as it doesn't 
make sense to greylist mail from an apparent mailserver.
This has nothing to do with spam. Certain combinations of SPF results and 
other stuff may typically indicate a spam or ham, but in general you just 
get a validation if that server was allowed to send. That is, by 
definition, whitelisting. If SPF was adapted 99% (and always strict with 
no allowance of not-listed servers), then you could also do blacklisting 
based on this. Still, this doesn't mean that you can use it for bland-and
-white spam-filtering. You could just reject *some* spam (that is now 
rejected by RBLs and access lists, anyway).
The only problem here is that a loose SPF definition can include all 
servers. To allow this was a big mistake. If someone doesn't want to 
restrict themselves to a certain range of servers, then they shouldn't use 
SPF.


Kai

-- 
Get your web at Conactive Internet Services: http://www.conactive.com

Re: Block Spammers Spoofing My Domain

2010-02-25 Thread Per Jessen

schmo_j wrote:

 
 Greetings!
 
 I'm running SpamAssassin 3.2.5 on Gentoo Linux, and I'm looking to
 block messages from @mydomain.com that originate from outside my
 network. 

That is best/most easily  done at MTA level - see the recent thread Off
Topic - SPF - What a Disaster. 


/Per Jessen, Zürich

Re: Bogus Dollar Amounts

2010-02-25 Thread LuKreme

On 25-Feb-2010, at 05:36, Mike Cardwell wrote:
 
 I repasted that at http://spamalyser.com/v/gcrvcnbm/mime in order to get the 
 benefit of mime parsing and decoding.

running it through spamassassin -Lt I get a score of 16.6 (13.2)

Content analysis details:   (16.6 points, 5.0 required)

 pts rule name  description
 -- --
 4.0 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
[score: 1.]
 0.1 KB_RATWARE_OUTLOOK_16  KB_RATWARE_OUTLOOK_16
 0.1 KB_RATWARE_OUTLOOK_12  KB_RATWARE_OUTLOOK_12
 3.8 KB_RATWARE_BOUNDARYKB_RATWARE_BOUNDARY
 0.7 SARE_RECV_IP_FROMIP3   Received line is IP address from IP address
 0.7 SARE_SUB_ENC_KOI8R Subject specifies display in non-English lang
 0.0 HTML_MESSAGE   BODY: HTML included in message
 2.2 MISSING_MIME_HB_SEPBODY: Missing blank line between MIME header and
body
 1.5 MIME_QP_LONG_LINE  RAW: Quoted-printable line longer than 76 chars
 0.1 RDNS_NONE  Delivered to trusted network by a host with no rDNS
 3.4 AWLAWL: From: address is in the auto white-list


-- 
'There's Mr Dibbler.'
'What's he selling this time?'
'I don't think he's trying to sell anything, Mr Poons.'
'It's that bad? Then we're probably in lots of trouble.' --Reaper Man

RE: Off Topic - SPF - What a Disaster

2010-02-25 Thread Rick Cooper


 From: Marc Perkel [mailto:m...@perkel.com] Sent: Thursday, February
 25, 2010 12:30 PM To: ram Cc: users@spamassassin.apache.org Subject:
  Re: Off Topic - SPF - What a Disaster




  ram wrote:

   On Tue, 2010-02-23 at 18:33 -0800, Marc Perkel wrote:
 
  
 Jeff Koch wrote:
  

 In an effort to reduce spam further we tried implementing SPF
 enforcement. Within three days we turned it off. What we found was
 that:
  
 - domain owners are allowing SPF records to be added to their zone
 files without understanding the implications or that are just not
 correct - domain owners and their employees regularly send email from
 mailservers that violate their SPF. - our customers were unable to
 receive email from important business contacts - our customers were
 unable to understand why we would be enforcing a system that
 prevented them from getting important email. - our customers couldn't
 understand what SPF does. - our customers could not explain SPF to
 their business contacts who would have had to contact their IT people
 to correct the SPF records.
  
 Our assessment is that SPF is a good idea but pretty much unworkable
 for an ISP/host without a major education program which we neither
 have the time or money to do. Since we like our customers and they
 pay the bills it is now a dead issue.
  
 Any other experiences? I love to hear.
   


 Best Regards,
   
 Jeff Koch, Intersessions
 
  
  
  I agree. I've been in the spam filtering business for many years and
  have yetto find any use for SPF at all. It's disturbing this useless
  technology is getting the false positive support we are seeing.


  
   Marc, This is just to repeat the cliche. SPF was not designed to help
   *you* in *spam filtering*. This was designed to help legitimate
   senders send mails.

   However as much as you, unreasonably , dislike it .. SPF adoption is
   on the rise.Two years ago most banks in India had no SPF records.
   Today almost every bank here publishes a SPF record. And that helps.
   For eg I use SPF checks to whitelist all local banks mail.

   Conversely, I have a custom rule that says if the header-from
   contains $popularbank.com and mail did not SPF pass add a score of
   3.0. Phishers can use whatever envelope from they want. But if they
   put the banks domain in the header-from the mail will be caught as
   spam. I know there are ways to get around this rule too but in
   practical life this has been real effective against phishing.


  IMHO most of the anti-SPF bandwagon is more due ego issues than
  technical.


  
 
  The anti-SPF bandwagon is not ego driven but results driven. Than you
  for admitting that SPF in not a spam filtering solution. However it
  is also not a white listing solution because as many people have said
  here - spammers are the ones who are using SPF correctly. I can see
  some theoretical benefits that if you have a list of banks with SPF
  and you receive an email from an address that the bank lists then you
  can safely pass it. But I find that an easier way to do that is to
  use FCrDNS to do the same thing.
 
  On the down site SPF breaks email forwarding and it creates a false
  sense that people are doing something to fight spam or protect ham
  that is not supported by reality. SPF has received intellectual
  welfare because stuff that doesn't work tends to be culled out of
  spam assassin and other than backscatter most people here are telling
  the SPF supporters that it doesn't work. If SPF is becoming more
  popular it just means that more people are misled.
 
So then SRS Doesn't work for forwarding systems? I ask because I am
not a forwarding service and, as I only handle corporate mail
systems, do not give access to arbitrary forwarding to the mail
users so we do not have tons of (external) forwarding going on. Since SPF
and
SRS are like legs on the same body I will assume trying to walk with
one leg produces results similar to a forwarding service using SPF
without SRS. I personally would love comcast would list all of their
Valid outbound mail hosts and hard fail all others, same with aol, yahoo,
gmail, etc.
Seems to me if you are going to push email all over hell's half acre it
behooves you
To use any and all tools available to take responsibility for those mails
and SPF is
One of several tools that can do that, at least to some extent. If there
would have been
Some kind of total commitment to spam 10 years ago we would not be where we
are today and
Spamassassin (as it is) would not be quite so necessary.

(My apologies for the pathetic attempt at manually reformatting
the original html post)


  I am open to and interested in

Block Spammers Spoofing My Domain

2010-02-25 Thread schmo_j


Greetings!

I'm running SpamAssassin 3.2.5 on Gentoo Linux, and I'm looking to block
messages from @mydomain.com that originate from outside my network.  I
already have a whitelist_from_rcvd *...@mydomain.com mydomain.com rule in
place, can I simply add a blacklist_from *...@mydomain.com rule right below
it to accomplish my goal?  All of my mail-producing servers are inside my
internal network (also defined in internal_networks), so I'm positive that
nothing from @mydomain.com should come from the outside.

Thanks!
-- 
View this message in context: 
http://old.nabble.com/Block-Spammers-Spoofing-My-Domain-tp27714499p27714499.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Bogus Dollar Amounts


On Thu, 25 Feb 2010, Dennis B. Hopp wrote:

What is the HK_MUCHMONEY rule that you have?  Is that part of the base 
SA installation?


It's a sandbox rule that got promoted. I'm working on a set of money rules 
that will supercede it.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Health Care _is_ a right - the government has no business keeping
  you from getting it. But forcing somebody else to pay for your
  health care at gunpoint (i.e. through taxation) is _not_ a right.
---
 139 days since President Obama won the Nobel Not George W. Bush prize

RE: Block Spammers Spoofing My Domain

2010-02-25 Thread Rick Cooper

Original Message
From: schmo_j [mailto:schm...@yahoo.com]
Sent: Thursday, February 25, 2010 1:40 PM
To: users@spamassassin.apache.org
Subject: Block Spammers Spoofing My Domain

 Greetings!

 I'm running SpamAssassin 3.2.5 on Gentoo Linux, and I'm looking to block
 messages from @mydomain.com that originate from outside my network.  I
 already have a whitelist_from_rcvd *...@mydomain.com mydomain.com rule in
 place, can I simply add a blacklist_from *...@mydomain.com rule right below
 it to accomplish my goal?  All of my mail-producing servers are inside my
 internal network (also defined in internal_networks), so I'm positive that
 nothing from @mydomain.com should come from the outside.

 Thanks!
 --
 View this message in context:

http://old.nabble.com/Block-Spammers-Spoofing-My-Domain-tp27714499p27714499.
html
 Sent from the SpamAssassin - Users mailing list archive at Nabble.com. 

That should really be blocked at smtp not with SA. I do it (via exim) with a
list of
Ips that are allowed to helo with my domain(s)  and I require authentication
from
Any user to send mail, period. In my case if you break the helo with my name
rule
You are instantly added to the firewall for a week.

Rick

--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Off Topic - SPF - What a Disaster

2010-02-25 Thread Per Jessen

Marc Perkel wrote:

 I can see some theoretical benefits that if you have a list of banks
 with SPF and you receive an email from an address that the bank lists
 then you can safely pass it. But I find that an easier way to do that
 is to use FCrDNS to do the same thing.

Not a theoretical benefit, whitelist_from_spf works very well, I just
don't get to use it very often.  IMO it also requires a little less
effort than whitelist_from_rcvd. 


/Per Jessen, Zürich

Re: Block Spammers Spoofing My Domain

2010-02-25 Thread Carlos Williams

On Thu, Feb 25, 2010 at 1:39 PM, schmo_j schm...@yahoo.com wrote:

 Greetings!

 I'm running SpamAssassin 3.2.5 on Gentoo Linux, and I'm looking to block
 messages from @mydomain.com that originate from outside my network.  I
 already have a whitelist_from_rcvd *...@mydomain.com mydomain.com rule in
 place, can I simply add a blacklist_from *...@mydomain.com rule right below
 it to accomplish my goal?  All of my mail-producing servers are inside my
 internal network (also defined in internal_networks), so I'm positive that
 nothing from @mydomain.com should come from the outside.

I do the following but from my MTA. I don't know if you're using
Postfix or Sendmail but I have the following 'helo_checks.pcre' in my
Postfix directory:

/^localhost$/   550 Don't use my own domain (localhost)!
/^ideorlando.\org$/ 550 Don't use my own domain!
/^216\.242\.104\.130$/  550 Your spam was rejected because
you're forging my IP.
/^\[216\.242\.104\.130\]$/  550 Your spam was rejected because
you're forging my IP.
/^mail\.ideorlando.\org$/   550 Don't use my own hostname!
/^[0-9.-]+$/550 Your software is not RFC 2821
compliant: EHLO/HELO must be a domain or an address-literal (IP
enclosed in []) - not a naked IP.



What MTA are you using?

Re: Off Topic - SPF - What a Disaster

2010-02-25 Thread Jeff Koch


At 02:31 PM 2/25/2010, you wrote:

Marc Perkel wrote on Thu, 25 Feb 2010 09:29:48 -0800:

 The anti-SPF bandwagon is not ego driven but results driven. Than you
 for admitting that SPF in not a spam filtering solution. However it is
 also not a white listing solution because as many people have said here
 - spammers are the ones who are using SPF correctly.

You make the same mistake again.
SPF is for assuring that mail with a certain sender domain was sent from a
mailserver that is allowed to send mail for that domain. Nothing more,
nothing less.
It's for instance often used to have mail bypass greylisting as it doesn't
make sense to greylist mail from an apparent mailserver.
This has nothing to do with spam. Certain combinations of SPF results and
other stuff may typically indicate a spam or ham, but in general you just
get a validation if that server was allowed to send. That is, by
definition, whitelisting. If SPF was adapted 99% (and always strict with
no allowance of not-listed servers), then you could also do blacklisting
based on this. Still, this doesn't mean that you can use it for bland-and
-white spam-filtering. You could just reject *some* spam (that is now
rejected by RBLs and access lists, anyway).
The only problem here is that a loose SPF definition can include all
servers. To allow this was a big mistake. If someone doesn't want to
restrict themselves to a certain range of servers, then they shouldn't use
SPF.


Kai


I disagree. SPF is just one of the tools - among other tools (e.g. DKIM, 
domain keys, not accepting email from servers with no RDNS, etc) - 
developed to help reduce spam.



--
Get your web at Conactive Internet Services: http://www.conactive.com


Best Regards,

Jeff Koch, Intersessions

Re: Off Topic - SPF - What a Disaster

2010-02-25 Thread LuKreme

On 25-Feb-2010, at 10:29, Marc Perkel wrote:
 
 The anti-SPF bandwagon is not ego driven but results driven. Than you for 
 admitting that SPF in not a spam filtering solution. However it is also not a 
 white listing solution because as many people have said here - spammers are 
 the ones who are using SPF correctly.

If you blindly accept any email with a valid spf as being 'good' email then 
your not understanding the system.

Here's where spf is useful. You have an emailer (a bank, a company, aol, 
hotmail, whatever) that is a frequent target of spoofing. You can either spend 
a lot of time and resources trying to catch the spoof emails while not trashing 
the real ones, or you can enable spf.

So, if an email comes in to my mailspool from paypal.com and it passes spf, it 
is treated as a normal message. It still goes through SA. But if it comes in 
from paypal.com and DOESN'T pass spf, it instantly gets 5 points added to it 
because if it's claiming to be from paypal AND it fails SPF, it is *not* from 
paypal.

So, while SPF is *not* an anti-spam tool, in the case of paypal, and ebay, and 
citibank (but not the mentally challenged lemurs at bankofamerica) the *lack* 
of SPF become an anti-spam tool (more often a anti-phishing tool, really).

How any mailadmin can think this is a bad thing is staggering.

  I can see some theoretical benefits that if you have a list of banks with 
 SPF and you receive an email from an address that the bank lists then you can 
 safely pass it. But I find that an easier way to do that is to use FCrDNS to 
 do the same thing.

Which fails when you have someone that has multiple domains that may be sending 
mail from the same organization. Mail to me from Citi may comes from any one 
of at least 6 different domains, and the mailserver is not necessarily in the 
same domain.
 
 On the down site SPF breaks email forwarding

uh huh. For certain values of breaks and forwarding. Resend the message as 
a rfc2822 attachment and... zomg, nothing is broken. Recipient gets the 
original unaltered message and the SMTP process doesn't have to lie about who 
the sender of the message is. But that takes some degree of effort on the part 
of mailserver, so it is widely ignored as it would constitute work.

Also, keep in mind that SPF has THREE states. Pass, fail, soft fail.

$ dig kreme.com txt +short
v=spf1 mx include:covisp.net ~all

only my mx server or the specific domain covisp.net is allowed to send email 
'from' my domain. No other host sending mail from my domain is to be considered 
valid.

I could do, instead:

v=spf1 mx include:covisp.net ?all

This means, hey, my mx server or any machine at this domain will send mail for 
me. If the email comes from there, SPF passes, but if it DIDN'T come from 
there, it might still be me, so only do a soft fail. because sometimes I route 
my mail out over gmail, or my friend ziggy.tld.

Many admins will reject both fail and soft-fail as failures, which is wrong.

 and it creates a false sense that people are doing something to fight spam or 
 protect ham that is not supported by reality. SPF has received intellectual 
 welfare because stuff that doesn't work tends to be culled out of spam 
 assassin and other than backscatter most people here are telling the SPF 
 supporters that it doesn't work. If SPF is becoming more popular it just 
 means that more people are misled.

SPF is becoming more popular because it is *effective* at what it does.

Currently I only use SPF within SA checks because it makes it trivial to catch 
most of the phishing scams.

-- 
They say only the good die young. If it works the other way too 
I'm immortal

Re: [sa] Re: Bogus Dollar Amounts

2010-02-25 Thread John Wilcock


Le 25/02/2010 17:06, Charles Gregory a écrit :

On Thu, 25 Feb 2010, John Hardin wrote:

 i still see lot of junk mail coming with different charecters, i do not
 even read them clearly
 how can i stop those kind of emails

Reject languages you can't read at SMTP time?


I've been noticing more 'foreign language' spams that do not use
a 'foreign' character set and therefore do not trigger the 'faraway'
rules I don't suppose anyone has developed a generic rule that would
spot 'foreign language usage in non-foreign charset'?


Perhaps more useful - and less prone to FPs in internationally-oriented 
organisations - a rule that spots *mismatched* charsets, e.g. a Cyrillic 
charset from a Chinese IP, a Korean charset via an Italian freemail 
host, and so on.


I guess such a rule would be possible as a meta, though an eval function 
might be more effective and allow more combinations.


--
John

Re: Off Topic - SPF - What a Disaster

Jeff Koch wrote on Thu, 25 Feb 2010 15:08:46 -0500:

 I disagree.

I don't know to what you disagree, but SPF is not an anti-spam tool. Full 
stop.

Kai

-- 
Get your web at Conactive Internet Services: http://www.conactive.com

Re: Off Topic - SPF - What a Disaster

2010-02-25 Thread Jeff Koch



How silly. That's like saying an iPhone is not a gaming device even though 
plenty of people use it to play game apps. Perhaps you should re-read the 
SPF FAQ's.



At 04:31 PM 2/25/2010, you wrote:

Jeff Koch wrote on Thu, 25 Feb 2010 15:08:46 -0500:

 I disagree.

I don't know to what you disagree, but SPF is not an anti-spam tool. Full
stop.

Kai

--
Get your web at Conactive Internet Services: http://www.conactive.com


Best Regards,

Jeff Koch, Intersessions

.pn TLDs not recognized for util_rb_2tld?

2010-02-25 Thread Daniel McDonald

config: SpamAssassin failed to parse line, co.at.pn is not valid for
util_rb_2tld, skipping: util_rb_2tld co.at.pn
config: SpamAssassin failed to parse line, co.uk.pn is not valid for
util_rb_2tld, skipping: util_rb_2tld co.uk.pn
config: SpamAssassin failed to parse line, com.au.pn is not valid for
util_rb_2tld, skipping: util_rb_2tld com.au.pn
channel: lint check of update failed, channel failed


$ dig +short 5.2.3.90_2tld.cf.sare.sa-update.dostech.net txt
201002251100

Shouldn¹t those have util_rb_3tld?

-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281

Re: .pn TLDs not recognized for util_rb_2tld?

2010-02-25 Thread Yet Another Ninja


On 2/25/2010 11:41 PM, Daniel McDonald wrote:

config: SpamAssassin failed to parse line, co.at.pn is not valid for
util_rb_2tld, skipping: util_rb_2tld co.at.pn
config: SpamAssassin failed to parse line, co.uk.pn is not valid for
util_rb_2tld, skipping: util_rb_2tld co.uk.pn
config: SpamAssassin failed to parse line, com.au.pn is not valid for
util_rb_2tld, skipping: util_rb_2tld com.au.pn
channel: lint check of update failed, channel failed


$ dig +short 5.2.3.90_2tld.cf.sare.sa-update.dostech.net txt
201002251100

Shouldn¹t those have util_rb_3tld?



thx for spotting - fixed copy/paste goof

Pls allow some time for updates to be spread

Re: Off Topic - SPF - What a Disaster




Rick Cooper wrote:
 
  The anti-SPF bandwagon is not ego driven but results driven. Than you

  for admitting that SPF in not a spam filtering solution. However it
  is also not a white listing solution because as many people have said
  here - spammers are the ones who are using SPF correctly. I can see
  some theoretical benefits that if you have a list of banks with SPF
  and you receive an email from an address that the bank lists then you
  can safely pass it. But I find that an easier way to do that is to
  use FCrDNS to do the same thing.
 
  On the down site SPF breaks email forwarding and it creates a false

  sense that people are doing something to fight spam or protect ham
  that is not supported by reality. SPF has received intellectual
  welfare because stuff that doesn't work tends to be culled out of
  spam assassin and other than backscatter most people here are telling
  the SPF supporters that it doesn't work. If SPF is becoming more
  popular it just means that more people are misled.
 
So then SRS Doesn't work for forwarding systems? I ask because I am

not a forwarding service and, as I only handle corporate mail
systems, do not give access to arbitrary forwarding to the mail
users so we do not have tons of (external) forwarding going on. Since SPF
and
SRS are like legs on the same body I will assume trying to walk with
one leg produces results similar to a forwarding service using SPF
without SRS. I personally would love comcast would list all of their
Valid outbound mail hosts and hard fail all others, same with aol, yahoo,
gmail, etc.
Seems to me if you are going to push email all over hell's half acre it
behooves you
To use any and all tools available to take responsibility for those mails
and SPF is
One of several tools that can do that, at least to some extent. If there
would have been
Some kind of total commitment to spam 10 years ago we would not be where we
are today and
Spamassassin (as it is) would not be quite so necessary.

(My apologies for the pathetic attempt at manually reformatting
the original html post)

  


SRS is even more broken than SPF. I allow users to white list or black 
list based on the sender. If you rewrite the sender then you lose sender 
based conditionals. SRS has no use other than to try to fix SPF which 
has no use in the first place.

Re: Off Topic - SPF - What a Disaster




Kai Schaetzl wrote:

Marc Perkel wrote on Thu, 25 Feb 2010 09:29:48 -0800:

  
The anti-SPF bandwagon is not ego driven but results driven. Than you 
for admitting that SPF in not a spam filtering solution. However it is 
also not a white listing solution because as many people have said here 
- spammers are the ones who are using SPF correctly.



You make the same mistake again. 
SPF is for assuring that mail with a certain sender domain was sent from a 
mailserver that is allowed to send mail for that domain. Nothing more, 
nothing less. 
It's for instance often used to have mail bypass greylisting as it doesn't 
make sense to greylist mail from an apparent mailserver.
This has nothing to do with spam. Certain combinations of SPF results and 
other stuff may typically indicate a spam or ham, but in general you just 
get a validation if that server was allowed to send. That is, by 
definition, whitelisting. If SPF was adapted 99% (and always strict with 
no allowance of not-listed servers), then you could also do blacklisting 
based on this. Still, this doesn't mean that you can use it for bland-and
-white spam-filtering. You could just reject *some* spam (that is now 
rejected by RBLs and access lists, anyway).
The only problem here is that a loose SPF definition can include all 
servers. To allow this was a big mistake. If someone doesn't want to 
restrict themselves to a certain range of servers, then they shouldn't use 
SPF.



  


SPF will never be 99% adopted until it actually does something that is 
significantly useful. Using it as a white list to bypass a grey list 
isn't what I would call significantly useful. SPF fails the actually 
works test.

Re: Off Topic - SPF - What a Disaster




Jeff Koch wrote:

At 02:31 PM 2/25/2010, you wrote:

Marc Perkel wrote on Thu, 25 Feb 2010 09:29:48 -0800:

 The anti-SPF bandwagon is not ego driven but results driven. Than you
 for admitting that SPF in not a spam filtering solution. However it is
 also not a white listing solution because as many people have said 
here

 - spammers are the ones who are using SPF correctly.

You make the same mistake again.
SPF is for assuring that mail with a certain sender domain was sent 
from a

mailserver that is allowed to send mail for that domain. Nothing more,
nothing less.
It's for instance often used to have mail bypass greylisting as it 
doesn't

make sense to greylist mail from an apparent mailserver.
This has nothing to do with spam. Certain combinations of SPF results 
and
other stuff may typically indicate a spam or ham, but in general you 
just

get a validation if that server was allowed to send. That is, by
definition, whitelisting. If SPF was adapted 99% (and always strict with
no allowance of not-listed servers), then you could also do blacklisting
based on this. Still, this doesn't mean that you can use it for 
bland-and

-white spam-filtering. You could just reject *some* spam (that is now
rejected by RBLs and access lists, anyway).
The only problem here is that a loose SPF definition can include all
servers. To allow this was a big mistake. If someone doesn't want to
restrict themselves to a certain range of servers, then they 
shouldn't use

SPF.


Kai


I disagree. SPF is just one of the tools - among other tools (e.g. 
DKIM, domain keys, not accepting email from servers with no RDNS, etc) 
- developed to help reduce spam.




I'd like to find a way to get people to get their FCrDNS correct. The 
way I see it if they can't get RDNS correct they aren't going to get SPF 
correct. Unfortunately I get a lot of ham from IPs with no RDNS.

Off-topic? Off-list!

2010-02-25 Thread Karsten Bräckelmann

Sometimes I wonder, at which point in a lengthy *off-topic* discussion I
should start so slap people on the wrist, and tell 'em to go play
somewhere else and find a list where it is bloody on-topic.

A short digression every now an then of course is OK. Why not. But a
lengthy, tiresome and eventually heated off-topic discussion -- is not.

I know I'm tired from repeatedly deleting clearly off-topic posts
without even caring to open them. Wonder how the majority of subscribers
feels about it.


Please, guys, let it go. If you *know* this ain't the right place, stop
it.

  guenther  -- one the still-friendly list admins you all love to yell
   for, when there's a mis-behaving subscriber

-- 
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128  (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Off Topic - SPF - What a Disaster

LuKreme wrote:

On 25-Feb-2010, at 10:29, Marc Perkel wrote:

The anti-SPF bandwagon is not ego driven but results driven. Than you for
admitting that SPF in not a spam filtering solution. However it is also not a
white listing solution because as many people have said here - spammers are the
ones who are using SPF correctly.

If you blindly accept any email with a valid spf as being 'good' email then
your not understanding the system.

Here's where spf is useful. You have an emailer (a bank, a company, aol,
hotmail, whatever) that is a frequent target of spoofing. You can either spend
a lot of time and resources trying to catch the spoof emails while not trashing
the real ones, or you can enable spf.

Except that it breaks forwarded email.

So, if an email comes in to my mailspool from paypal.com and it passes spf, it is treated
as a normal message. It still goes through SA. But if it comes in from
paypal.com and DOESN'T pass spf, it instantly gets 5 points added to it because if it's
claiming to be from paypal AND it fails SPF, it is *not* from paypal.

If the host isn't a paypal server or it hasn't passed a paypal server
then it's bounced. All paypal email comes from *.paypal.com servers.

So, while SPF is *not* an anti-spam tool, in the case of paypal, and ebay, and
citibank (but not the mentally challenged lemurs at bankofamerica) the *lack*
of SPF become an anti-spam tool (more often a anti-phishing tool, really).

How any mailadmin can think this is a bad thing is staggering.

Agreed about Bank of America being brain dead.

I can see some theoretical benefits that if you have a list of banks with SPF
and you receive an email from an address that the bank lists then you can
safely pass it. But I find that an easier way to do that is to use FCrDNS to do
the same thing.

Which fails when you have someone that has multiple domains that may be sending mail
from the same organization. Mail to me from Citi may comes from any one of at
least 6 different domains, and the mailserver is not necessarily in the same domain.

Whitelist all 6 domains.

On the down site SPF breaks email forwarding

uh huh. For certain values of breaks and forwarding. Resend the message as
a rfc2822 attachment and... zomg, nothing is broken. Recipient gets the original unaltered message
and the SMTP process doesn't have to lie about who the sender of the message is. But that takes
some degree of effort on the part of mailserver, so it is widely ignored as it would constitute
work.

Also, keep in mind that SPF has THREE states. Pass, fail, soft fail.

$ dig kreme.com txt +short
v=spf1 mx include:covisp.net ~all

only my mx server or the specific domain covisp.net is allowed to send email
'from' my domain. No other host sending mail from my domain is to be considered
valid.

I could do, instead:

v=spf1 mx include:covisp.net ?all

This means, hey, my mx server or any machine at this domain will send mail for me.
If the email comes from there, SPF passes, but if it DIDN'T come from there, it
might still be me, so only do a soft fail. because sometimes I route my mail out
over gmail, or my friend ziggy.tld.

Many admins will reject both fail and soft-fail as failures, which is wrong.

As someone who forwards email what I see is this.

Sender has restrictive SPF.
Recipient server enforces SPF.
Mail coming through me bounces.

Then they call me to complain and I say, I didn't bounce it. Get rid of
your SPF nd your email will be received.

and it creates a false sense that people are doing something to fight spam or
protect ham that is not supported by reality. SPF has received intellectual
welfare because stuff that doesn't work tends to be culled out of spam assassin
and other than backscatter most people here are telling the SPF supporters that
it doesn't work. If SPF is becoming more popular it just means that more people
are misled.

SPF is becoming more popular because it is *effective* at what it does.

Currently I only use SPF within SA checks because it makes it trivial to catch
most of the phishing scams.

I'm not hearing from people in this forum who are saying it works. Even
those who are SPF evangelists can't point to any significant results in
either blocking spam or passing ham.

Can you catch phishing without false positives from forwarding where the
forwarder does not use SRS?

Re: Off Topic - SPF - What a Disaster




Kai Schaetzl wrote:

Jeff Koch wrote on Thu, 25 Feb 2010 15:08:46 -0500:

  

I disagree.



I don't know to what you disagree, but SPF is not an anti-spam tool. Full 
stop.


Kai

  


You say that here but in your last message you said:

 If SPF was adapted 99% (and always strict with no allowance of 
not-listed servers), then you could also do blacklisting based on this.


You can't have it both ways.

Which is another problem I have with SPF evangelists is that they say 
(now) that isn't not for blocking spam. But yet people are encouraged to 
use it to block spam. Everything else proposed here has to pass the 
reality test. It has to actually work. But for SPF we are lowering the 
bar for some reason. I don't see why SA has any SPF if it doesn't do 
anything.

Re: Off Topic - SPF - What a Disaster

2010-02-25 Thread Martin Gregorie

On Thu, 2010-02-25 at 15:19 -0800, Marc Perkel wrote:

 SPF will never be 99% adopted until it actually does something that is 
 significantly useful. Using it as a white list to bypass a grey list 
 isn't what I would call significantly useful. SPF fails the actually 
 works test.

But it DOES do something useful.

It reduces backscatter from spam that uses your domain as the forged
sender. And it does so without costing you more cycles than a DNS lookup
uses.

That's it. I've said my say. I'm out of this unnecessary pissing match
after saying to the OP who gratuitously started it: May the fleas from
a thousand camels infest your armpits.


Martin

Re: Off-topic? Off-list!


On 2/25/2010 6:26 PM, Karsten Bräckelmann wrote:

Please, guys, let it go. If you *know* this ain't the right place, stop
it.
   

+1

/Jason

Re: Off-topic? Off-list!


On Thu, 25 Feb 2010, Jason Bertoch wrote:


On 2/25/2010 6:26 PM, Karsten Bräckelmann wrote:

 Please, guys, let it go. If you *know* this ain't the right place,
 stop it.


+1


+1

Please take it to alt.advocacy.spf.headdesk.headdesk.headdesk

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  You know things are bad when Pravda says we [the USA] have gone
  too far to the left. -- Joe Huffman
---
 139 days since President Obama won the Nobel Not George W. Bush prize

Re: Off Topic - SPF - What a Disaster

2010-02-25 Thread Lee Dilkie


Marc Perkel wrote:
 I'm not hearing from people in this forum who are saying it works.
 Even those who are SPF evangelists can't point to any significant
 results in either blocking spam or passing ham.


Well it's no magic bullet, but nothing is. I use SPF to try and make my
domain less a target for spammers to forge. I got hit with a massive
backscatter flood last week that killed my service and I changed my SPF
records to hardfail and had to notify my (few) clients to let them
know that they were now required to use my server for outgoing mail
(auth on port 587).

Only time will tell if helps. But I immediately saw the effect in the
bounce messages, domains like gmail were aware of the hardfail on their
spf check.

One of the problems is that in SA, an SPF_FAIL (hard) doesn't score much
above a SPF_SOFTFAIL but in my view it should. If an admin has made the
effort to setup a hardfail record, it should be trusted.

SPF_PASS shouldn't be trusted as far as spam processing, as we all know,
as spammers can setup valid SPF records. But it does help against
spambot's, doesn't it? It's hard to setup valid SPF records when you're
sending spam from a million infected machines.

-lee

Re: Off Topic - SPF - What a Disaster


On 2/25/2010 6:37 PM, Marc Perkel wrote:


A lot of posts with useless rants on a personal grievance against SPF


Marc,

I suspect you're not seeing a bunch of supporters of SPF post on this 
thread because most find it tiresome, bothersome, pointless, or all of 
the above.  I bit my lip until now for all of those reasons, but can't 
stand your continual whining.  You're clearly only mad at SPF because of 
the forwarding issue.  As has been stated in a multitude of threads over 
the years, including this one, SPF has its place for those that use it 
in the way it was intended.


Although, I agree that FCrDNS is very useful, I'm also aware that it's 
just another tool in the box.  For some unfortunate reason, many 
providers don't allow changes to PTR records to accommodate their 
customers.  SPF provides an alternate means by which domain owners can 
publish useful mail source information on their own, regardless of 
provider cooperation/competence.


Forwarding off-site has essentially been deprecated since spam filtering 
began and the wide-spread availability of mail submission ports/relaying 
via authentication.  SPF isn't your problem, it's your ego.  If you 
proxy your connections, like the rest of your [much] bigger competitors 
do, the forwarding issue goes away.  Or, if you don't feel like coding, 
ask your customers to use the SPF include directive where you can 
publish additional allowable servers.  SPF simply isn't the problem, 
please stop whining.


/out

Re: Off Topic - SPF - What a Disaster




Jason Bertoch wrote:

On 2/25/2010 6:37 PM, Marc Perkel wrote:


A lot of posts with useless rants on a personal grievance against SPF


Marc,

I suspect you're not seeing a bunch of supporters of SPF post on this 
thread because most find it tiresome, bothersome, pointless, or all of 
the above.  I bit my lip until now for all of those reasons, but can't 
stand your continual whining.  You're clearly only mad at SPF because 
of the forwarding issue.  As has been stated in a multitude of threads 
over the years, including this one, SPF has its place for those that 
use it in the way it was intended.


Although, I agree that FCrDNS is very useful, I'm also aware that it's 
just another tool in the box.  For some unfortunate reason, many 
providers don't allow changes to PTR records to accommodate their 
customers.  SPF provides an alternate means by which domain owners can 
publish useful mail source information on their own, regardless of 
provider cooperation/competence.


Forwarding off-site has essentially been deprecated since spam 
filtering began and the wide-spread availability of mail submission 
ports/relaying via authentication.  SPF isn't your problem, it's your 
ego.  If you proxy your connections, like the rest of your [much] 
bigger competitors do, the forwarding issue goes away.  Or, if you 
don't feel like coding, ask your customers to use the SPF include 
directive where you can publish additional allowable servers.  SPF 
simply isn't the problem, please stop whining.


/out



The forward issue is definitely an annoyance. But SPF has a problem in 
that as the supporters admit, it doesn't block spam, and it can't be 
used as a white rule because spammers often use SPF correctly. I'm not 
sure what you mean that forwarding has been depricated. Lots of people 
forward email for a lot of different reasons. I don't understand what 
you mean.

Re: Off Topic - SPF - What a Disaster


On 2/25/2010 8:08 PM, Marc Perkel wrote:


The forward issue is definitely an annoyance. But SPF has a problem in 
that as the supporters admit, it doesn't block spam, and it can't be 
used as a white rule because spammers often use SPF correctly. I'm not 
sure what you mean that forwarding has been depricated. Lots of people 
forward email for a lot of different reasons. I don't understand what 
you mean.




SPF wasn't meant to block spam, please stop asserting that.  It may 
prove useful as part of an overall spam fighting solution, but that's 
not the point of the original design.  Just as FCrDNS has proven to be a 
useful tool in spam fighting, it was never intended to be used that way 
either.  Off-site forwarding has been deprecated, mostly due to spam 
fighting methods, but for many other good reasons too.


Every modern mail solution allows an account holder to pop/imap to 
another account to pull in mail from somewhere else.  Forwarding only 
assists the lazy and breaks spam filtering.  If there wasn't another 
option, sure, off-site forwarding would still be 
needed/wanted/required.  That's just not the case anymore, and fighting 
it causes greater loss of service than adopting it.  Spam filtering is 
simply more important than handling the exception cases where someone 
refuses to pull in mail from somewhere else.


I understand this doesn't match the design of your service, but that 
doesn't make SPF wrong for the reasons you state.  Off-site forwarding 
is old technology and old thinking.  Solutions exist to fix your 
problem, as I stated previously.   SPF may break forwarding, but 
forwarding breaks spam filtering...and what's more important when 
there's already a plethora of solutions to deal with forwarding?


/out

Bayes and Time of Day

Although I grasp the concept of Bayes in the SA system, I don't fully 
understand how and which tokens it grabs from mails passed through SA.  
Although many servers deal with 24-hour customers, mine is 98% business 
only 8AM to 5PM.  Does the SA Bayes system even look at time of day for 
tokens?  I wonder if I'd be able to more strongly scrutinize mails 
outside of normal business hours.  Thoughts?


/Jason

Re: .qmail

2010-02-25 Thread alexus

On Thu, Feb 25, 2010 at 2:57 AM, Toni Mueller
support-spamassas...@oeko.net wrote:

 Hi,

 On Wed, 24.02.2010 at 22:18:04 -0500, alexus ale...@gmail.com wrote:
 On Wed, Feb 24, 2010 at 4:49 AM, Toni Mueller 
 support-spamassas...@oeko.net wrote:
  On Tue, 23.02.2010 at 14:08:30 -0500, alexus ale...@gmail.com wrote:
  is there a way to put sa-learn --spam inside of .qmail?
 -bash-3.2# man preline
 No manual entry for preline
 -bash-3.2#

 look for the man pages included with your qmail* package.

 $ cat .qmail
 | /var/qmail/bin/preline /usr/bin/procmail


 Kind regards,
 --Toni++


-bash-3.2# man -M /var/qmail/man/ preline

okay, i found man for preline...

-- 
http://alexus.org/

Re: Off Topic - SPF - What a Disaster