Re: all emails are tagged SPAM
At 23:03 26-03-2008, Umar Murtaza wrote: I have Spamassin 3.2.4 running on RedHat. It has been running fine, until last night when all the emails started getting tagged as SPAMs. Any idea where should i start looking for? I am using: sendmail-cf-8.13.1-3.2.el4 sendmail-8.13.1-3.2.el4 mailscanner-4.62.9-3 Mailscanner is using the relays.ordb.org DNSBL. That DNSBL is returning a positive response for all queries which is why all your emails are being tagged as Spam. Remove that DNSBL from your Mailscanner configuration. Regards, -sm
Re: SORBS_DUL
James Gray wrote: [snip] According to SORBS: Netblock:202.147.75.0/26 (202.147.75.0-202.147.75.63) Record Created:Thu May 11 02:23:32 2006 GMT Record Updated:Thu May 11 02:23:32 2006 GMT Additional Information:[MU] Dynamic/Generic IP/rDNS address, use your ISPs mail server or get rDNS set to indicate static assignment. The entire 202.147.74.0/23 block has *NEVER* been part of a dynamic range and was purchased as part of our /19 back in 1999 (or maybe 2000...before my time with this company anyway) when that address range was first made available by APNIC. Some of the other class-C's in our /19 have been used for a long-since-sold ISP business, but not the 202.147.74.0/23 block. There's only a few externally exposed MTA's in that range (although our mail cluster is quite large). The ones really biting us on the arse are: 202.147.74.51 (also listed on DUHL, but on a 202.147.74.0/26) 202.147.75.20 202.147.75.21 The last two don't resolve from here. make sure you have a PTR and try delisting them individually first. use a large TTL in these PTRs. once all your problems solved, you can switch back to whatever TTL you want. the .51 seems ok to me, but if you can, do increase the TTLs in: ns1.viperplatform.net.au. 436 IN A 202.147.74.80 ns2.viperplatform.net.au. 436 IN A 202.147.74.81 small TTLs resemble fast flux and may look suspicious. (besides, a small TTL for NS records is unusual). The idea is to maximize chances that the sorbs robot delists these IPs. Do your own queries and whois lookups...but these address blocks are INCORRECTLY LISTED BY SORBS and they refuse (yes, I've heard from them) to remove them. Apparently because our inbound and outbound MTA's don't use the same addresses! I have no idea what crack-monkey at SORBS wrote that, but that was the response we got in relation to our request to remove our IP's. There may be some misunderstanding between you and them (or between you and their robot?). I understand that this is annoying, but I think you'll get better results by staying calm and doing some efforts until your issues are solved. PS. If you ever post on a sorbs mailing list, don't use the words you used here ;-p I hope that clears it up :) Cheers, James
Re: SORBS_DUL
Matus UHLAR - fantomas wrote: On 25.03.08 07:57, James Gray wrote: Why are rules that look up against this list still in the base of SpamAssassin?? The SORBS dynamic list is so poorly maintained that it's practically useless Matus UHLAR - fantomas wrote: I don't find it useless. It works quite well On 26.03.08 08:23, James Gray wrote: Unless you receive mail from any of our customers. Actually I don't - they are listed in SORBS DUL... Precisely my point. You incorrectly reject their mail as SORBS' tell you it's a dynamic IP. They aren't, and never have been, dynamically allocated to anyone. while no RFC forces setting of a TTL, some of them advise values ~1 day or more for records that do not change that often. Having TTL 3600 for normal records imho indicates just what SORBS points out at. I wouldn't trust you too. See my other post today. The TTL's were dropped recently (January 2008) to accommodate the move of equipment/IP/etc from one co-lo to another. They are now back up to more normal values. The blocks that have been listed have never, and will never be used in any dynamic addressing scheme, yet were listed anyway - according to you, because of short TTL's. As I have stated, the TTL's were dropped recently and restored back recently but the SORBS listing was made in 2006 - long before I started with this company and long before the recent co-lo move. Why? Can you remove them from the SORBS_DUL? No, then it's not really relevant then is it ;) I was trying to help you find the real problem. If you don't want help, stop bitching. I didn't ASK FOR HELP! I asked what people's thoughts were on keeping a list like SORBS_DUL in the base/default spamassassin rules. I'm quite capable of fixing the mess I inherited. I have seen more requests here to stop using some blacklists because of the requestor was unable to understand something. I think this is just another case... You know nothing about me. You assume I engineered the mess that is the DNS system I'm currently unravelling. I didn't. It was a dog's breakfast when I started and I'm slowly sorting the mess out. If you tried using their support forum to delist IPs that did not meet their delisting criteria, I don't wonder if they reject it without providing (other) reason. Forum? Or support request page? People keep referring to this nebulous SORBS support forumI only see their website: https://www.us.sorbs.net/faq/supportreq.shtml using sorbs is quite efficient, the scoress say it all. If you (and other ISP's DNS admins) were able to configure DNS properly, they would be even more efficient without false positives. I am perfectly capable of configuring DNS. In fact over the last 15 years or so that I've been doing DNS/MTA admin on Unix-based systems, a lot of my work as a contractor and as an incumbent admin is fixing messes left by previous admins. I'm currently stuck with a /19, /20 and a few stand-alone class-C's that are all a complete debacle. It's odd that other lists have automatically, and rapidly de-listed the odd IP here and there, without me needing to jump through hoops. SORBS make life hard for people to be de-listed: it's their idea of how DNS/MTA's should be managed, or you can talk to the virtual hand. That is my beef. Why are you so adamant about defending them? There are plenty of other (better IMHO) RBL's that are far more effective in filtering spam and other nasties. Peace, James smime.p7s Description: S/MIME Cryptographic Signature
Re: all emails are tagged SPAM
Thanks, that solved the problem. I had that entry under /etc/MailScanner/spam.lists.conf ORDB-RBL relays.ordb.org. Removing/commenting it out solved the problem. I hope MailScanners daily update will not revert this settings back. Umar Umar Murtaza [EMAIL PROTECTED] wrote: strange, i did not make any change and this thing suddenly started. Has MailScanner started this lately? Umar SM [EMAIL PROTECTED] wrote: At 23:03 26-03-2008, Umar Murtaza wrote: I have Spamassin 3.2.4 running on RedHat. It has been running fine, until last night when all the emails started getting tagged as SPAMs. Any idea where should i start looking for? I am using: sendmail-cf-8.13.1-3.2.el4 sendmail-8.13.1-3.2.el4 mailscanner-4.62.9-3 Mailscanner is using the relays.ordb.org DNSBL. That DNSBL is returning a positive response for all queries which is why all your emails are being tagged as Spam. Remove that DNSBL from your Mailscanner configuration. Regards, -sm - Never miss a thing. Make Yahoo your homepage. - Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.
Re: SORBS_DUL
James Gray wrote: [snip] I didn't ASK FOR HELP! I asked what people's thoughts were on keeping a list like SORBS_DUL in the base/default spamassassin rules. I'm quite capable of fixing the mess I inherited. As long as - it doesn't cause FPs - it helps catch spam - it is free for use/access it's good to have it. I don't think this is what bothers you. I think you are angry because some people use sorbs in their MTA and thus reject your mail. spamassassin is score based, so even if you're listed, this is not enough to make your mail tagged as spam. I have seen more requests here to stop using some blacklists because of the requestor was unable to understand something. I think this is just another case... You know nothing about me. You assume I engineered the mess that is the DNS system I'm currently unravelling. I didn't. It was a dog's breakfast when I started and I'm slowly sorting the mess out. If you tried using their support forum to delist IPs that did not meet their delisting criteria, I don't wonder if they reject it without providing (other) reason. Forum? Or support request page? People keep referring to this nebulous SORBS support forumI only see their website: https://www.us.sorbs.net/faq/supportreq.shtml while not a support forum, the [EMAIL PROTECTED] list may be a good place to ask https://www.us.sorbs.net/lists.shtml [snip]
Re: all emails are tagged SPAM
Umar Murtaza wrote: Thanks, that solved the problem. I had that entry under /etc/MailScanner/spam.lists.conf ORDB-RBL relays.ordb.org. Removing/commenting it out solved the problem. Well, that introduces another problem. Really you need to remove ORDB-RBL from your Spam List = in MailScanner.conf. the spam.lists.conf really only declares that ordb exists. The Spam List setting tells MailScanner to use it. By removing the declaration, you've disabled it, but only because there's now a syntax error in your Spam List setting.. I hope MailScanners daily update will not revert this settings back. I doubt any MailScanner update will do that. AFAIK ORDB hasn't been enabled in the MailScanner default configuration for well over a year now. (ORDB actually died in 2006) It's still in the current spam.lists.conf, but there's a note there that it's dead to warn people off adding it to the Spam List setting. While we're at it.. What daily update? I've been a MailScanner user for years and have yet to see such a thing. Also, when you do upgrade MailScanenr versions, it generally doesn't replace your MailScanner.conf. Instead there's that upgrade script you have to manually run to merge new settings in. That's probably why your still have ORDB in your config. MailScanner doesn't like over-riding settings, so you've probably been carrying that setting forward since you installed.
Re: SORBS_DUL
James Gray wrote: Sorbs sux, don't use it. Last time we had this problem they wanted money (and not an insignificant amount either) to remove a listing from their systems. They arbitrarily add addresses to a database the IP's owner can't control, then demand money to remove the listing; where I come from, that's called extortion. SORBS is an Australian entity, so they're local to you, at least in a legal system sense.. If it is extortion in your legal system, you might want to take advantage of that fact. Regardless, what matters from a spamassassin perspective is the accuracy of the list. That's the primary criteria that will get a list kicked out. SORBS-DUL is one of the most accurate RBLs spamassassin uses in the mass-check tests. 99.4% of its hits are spam. This beats out all other RBLs in spamassassin's config except PBL (which ties it), XBL, and 4 lists with very low hit rates that wound up with no nonspam hits. If it's really as arbitrary and random as you claim, how's it so accurate in real world tests? Personally, it sounds like they listed you, and you've got a personal beef. The real world tests don't support your claims that it's operated on an arbitrary basis.
Re: SORBS_DUL
Matt Kettler wrote: James Gray wrote: Sorbs sux, don't use it. Last time we had this problem they wanted money (and not an insignificant amount either) to remove a listing from their systems. They arbitrarily add addresses to a database the IP's owner can't control, then demand money to remove the listing; where I come from, that's called extortion. SORBS is an Australian entity, so they're local to you, at least in a legal system sense.. If it is extortion in your legal system, you might want to take advantage of that fact. Yes I'm aware of that :-/ Embarrassing isn't it? Unfortunately, being on SORBS_DUL doesn't impact us directly, and despite the claims that removal is free, th reality is proving to be quite different. Regardless, what matters from a spamassassin perspective is the accuracy of the list. That's the primary criteria that will get a list kicked out. Indeed. Having not used SORBS, and not missing them, I have no stats of my own to confirm or deny the accuracy of the list. Only that our IP blocks have been listed and we have been given no explanation why; only that we must overhaul our DNS and MTA systems to suit SORBS, then maybe they will delist us. SORBS-DUL is one of the most accurate RBLs spamassassin uses in the mass-check tests. 99.4% of its hits are spam. This beats out all other RBLs in spamassassin's config except PBL (which ties it), XBL, and 4 lists with very low hit rates that wound up with no nonspam hits. See above. If it's really as arbitrary and random as you claim, how's it so accurate in real world tests? No idea. I'd hazard a guess that the previous admin's actions at some point got us listed; but he's moved to the opposite side of the country and the silence from SORBS as to why we were listed in the first place leaves me with one of two conclusions: previous admin screwed up royally (possible but unlikely), SORBS listed our IP's without fair justification. Personally, it sounds like they listed you, and you've got a personal beef. The real world tests don't support your claims that it's operated on an arbitrary basis. I've just got customers (ISP's) on my back to get the MTA's IPs off the list. SORBS are being about as unco-operative as I've ever experienced in my years as an admin. My frustrations are firmly aimed at the one body that is causing me pain: SORBS. When all this is over, I still wont use SORBS :) We've crossed paths on other lists Matt, thanks for your objectivism. I need sleep and some quiet (from the customers and management) so maybe some of comment regarding SORBS have been a little harsh. Interestingly the customers (mostly APAC ISP wholesalers) *all* have similar opinions of SORBS as an entity to interact with. Cheers, James smime.p7s Description: S/MIME Cryptographic Signature
Re: SA-update error
Dennis Clark wrote: Using Spamassassin 3.1.8. I haven't updated SA in about six months. Ran SA-update -D using the default channel of updates.spamassassin.org, received error new version is 585884, skipped channel. What exactly is going wrong here. Has the sa update default channel been changed? No, but there also haven't been any sa-updates posted to 3.1.x in a long time, so I wouldn't be surprised to find you're already up to date for that version. We've been on the 3.2.x series since May of last year. The current release is 3.2.4, and 3.3.0 is starting to show signs of forming on the horizon.
Re: all emails are tagged SPAM
hmmm it looks like pretty much messedup. I have the following lines for Spam List which is probably related to present issue: --- Spam List Definitions = %etc-dir%/spam.lists.conf Spam List = ORDB-RBL SBL+XBL # You can un-comment this to enable them --- i think i should change the second line with: Spam List = SBL+XBL and my current %etc-dir%/spam.lists.conf has following entries: - # This file translates the names of the spam lists and spam domains lists # into the real DNS domains to search. # There is a far more comprehensive list of these at # http://www.declude.com/JunkMail/Support/ip4r.htm # and you can easily search them all at www.DNSstuff.com. # If you want to search other DNSBL's you will need to define them here first, # before referring to them by name in mailscanner.conf (or a rules file). spamhaus.orgsbl.spamhaus.org. spamhaus-XBLxbl.spamhaus.org. spamhaus-PBLpbl.spamhaus.org. spamhaus-ZENzen.spamhaus.org. SBL+XBL sbl-xbl.spamhaus.org. spamcop.net bl.spamcop.net. NJABL dnsbl.njabl.org. # ORDB has been shut down. #ORDB-RBL relays.ordb.org. #Infinite-Monkeys proxies.relays.monkeys.com. #osirusoft.com relays.osirusoft.com. # These two lists are now dead and must not be used. # MAPS now charge for their services, so you'll have to buy a contract before # attempting to use the next 3 lines. MAPS-RBLblackholes.mail-abuse.org. MAPS-DULdialups.mail-abuse.org. MAPS-RSSrelays.mail-abuse.org. # This next line works for JANET UK Academic sites only MAPS-RBL+ rbl-plus.mail-abuse.ja.net. # And build a similar list for the RBL domains that work on the name # of the domain rather than the IP address of the exact machine that # is listed. This way the RBL controllers can blacklist entire # domains very quickly and easily. # These aren't used by default, as they slow down MailScanner quite a bit. RFC-IGNORANT-DSNdsn.rfc-ignorant.org. RFC-IGNORANT-POSTMASTER postmaster.rfc-ignorant.org. RFC-IGNORANT-ABUSE abuse.rfc-ignorant.org. RFC-IGNORANT-WHOIS whois.rfc-ignorant.org. RFC-IGNORANT-IPWHOISipwhois.rfc-ignorant.org. RFC-IGNORANT-BOGUSMXbogusmx.rfc-ignorant.org. # Easynet are closing down, so don't use these any more Easynet-DNSBL blackholes.easynet.nl. Easynet-Proxies proxies.blackholes.easynet.nl. Easynet-Dynablock dynablock.easynet.nl. # This list is now dead and must not be used. #OSIRUSOFT-SPEWSspews.relays.osirusoft.com. # These folks are still going strong SORBS-DNSBL dnsbl.sorbs.net. SORBS-HTTP http.dnsbl.sorbs.net. SORBS-SOCKS socks.dnsbl.sorbs.net. SORBS-MISC misc.dnsbl.sorbs.net. SORBS-SMTP smtp.dnsbl.sorbs.net. SORBS-WEB web.dnsbl.sorbs.net. SORBS-SPAM spam.dnsbl.sorbs.net. SORBS-BLOCK block.dnsbl.sorbs.net. SORBS-ZOMBIEzombie.dnsbl.sorbs.net. SORBS-DUL dul.dnsbl.sorbs.net. SORBS-RHSBL rhsbl.sorbs.net. # These next 2 are Spam Domain List entries and not Spam Lists SORBS-BADCONF badconf.rhsbl.sorbs.net. SORBS-NOMAILnomail.rhsbl.sorbs.net. # Some other good lists CBL cbl.abuseat.org. DSBLlist.dsbl.org. -- I am still not confident in what this change will give me? Matt Kettler [EMAIL PROTECTED] wrote: Umar Murtaza wrote: Thanks, that solved the problem. I had that entry under /etc/MailScanner/spam.lists.conf ORDB-RBL relays.ordb.org. Removing/commenting it out solved the problem. Well, that introduces another problem. Really you need to remove ORDB-RBL from your Spam List = in MailScanner.conf. the spam.lists.conf really only declares that ordb exists. The Spam List setting tells MailScanner to use it. By removing the declaration, you've disabled it, but only because there's now a syntax error in your Spam List setting.. I hope MailScanners daily update will not revert this settings back. I doubt any MailScanner update will do that. AFAIK ORDB hasn't been enabled in the MailScanner default configuration for well over a year now. (ORDB actually died in 2006) It's still in the current spam.lists.conf, but there's a note there that it's dead to warn people off adding it to the Spam List setting. While we're at it.. What daily update?
Re: spamd stops after about 90 seconds?
Skip writes: That looks like it is the problem.A I have sent BH an email asking them about it.A By any chance do you know the name of the watchdog program that they run to keep an eye on the user processes?A Or is it something compiled into the kernel?A I have seen where sometimes depending on who you get a hold of in tech support, they don't even know what their own boxes are running and doing. not a clue, I'm afraid. Justin Mason wrote: Skip writes: What do you know? I got permission from my web and email hosting company (BlueHost) to run my own spamd process. Cool! Now I can have a lot more control over the processing of my incoming mail, and I have access to the logs! Well, after starting spamd, I was surprised after a couple of minutes when it mysteriously wasn't running any more. After running some experiments, it seems it is indeed stopping after just over a minute. Here's the command line I'm using to start spamd: spamd -d -i 127.0.0.1 -p 6615 -C /home//.spamassassin --siteconfigpath=/home//.spamassassin --virtual-config-dir=/home//.spamassassin/%l -s /home//.spamassassin/spamd.log --user-config -D -u --pidfile=/home//.spamassassin/spamd.pid --timeout-tcp=0 --timeout-child=0 I tried it without the last two timeout parameters and they don't seem to have any effect on this, and looking over the documentation, I wouldn't have expected them to. Is this a normal behavior of spamd, that if it doesn't see any action from spamc for a while, it just quits? By the way, I don't see anything in the log that tells me spamd is shutting down or anything like that. I have been able to feed spamd some spam and it worked--I saw the scores and everything, but again, a short time after I did the test, alas, spamd shut down again. What did I miss? that sounds a *lot* like Bluehost's automated CPU time limiting apps shutting it down. Use strace -p to trace the process activity around the 90 second mark, and see if it's getting a signal. --j.
Re: all emails are tagged SPAM
Umar Murtaza wrote: hmmm it looks like pretty much messedup. I have the following lines for Spam List which is probably related to present issue: --- Spam List Definitions = %etc-dir%/spam.lists.conf Spam List = ORDB-RBL SBL+XBL # You can un-comment this to enable them --- i think i should change the second line with: Spam List = SBL+XBL That would be correct. Unless you wish to make other changes to the list of RBLs MailScanner will check and trust absolutely as a spam criteria (without any regard for what SpamAssassin has to say about the message). and my current %etc-dir%/spam.lists.conf has following entries: snip, long list of the standard file from MailScanner Looks normal, and appears to be the standard file other than ORDB is commented out. -- I am still not confident in what this change will give me? It will give you a disabled list. One that is disabled the proper way... (and less likely to show config errors in MailScanner's lint mode) the spam.lists.conf file is intended to define a list of valid options that can be declared in the Spam List setting, nothing more. Having something present in the file doesn't enable it. By removing ORDB from spam.lists.conf, you're essentially causing MailScanner to ignore the request to use ORDB, but only because it no longer knows what ORDB is. It's better to not ask MailScanner to use it at all.
Spam abuse report plugin
I get a lot of spam on my servers which get detected by SA though are generated by innocent mail servers. We see a lot of mail users have insanely simple passwords , spammers are using these accounts and send spam. By the time the administrator realizes the server has sent 1000's of spam If spamassassin had an option to send abuse report to servers automatically and send mails to abuse@server-admin the moment the first sure spam comes in the admin could be warned before much damage has been done. Obviously we limit to only 1 or 2 reports in an hour to a particular id Thanks Ram PS: I know having strict passwords is the solution, but any admin worth his job knows how difficult it is to get everyone change their passwords
Re: Spam abuse report plugin
ram wrote: I get a lot of spam on my servers which get detected by SA though are generated by innocent mail servers. We see a lot of mail users have insanely simple passwords , spammers are using these accounts and send spam. By the time the administrator realizes the server has sent 1000's of spam If spamassassin had an option to send abuse report to servers automatically and send mails to abuse@server-admin the moment the first sure spam comes in the admin could be warned before much damage has been done. Obviously we limit to only 1 or 2 reports in an hour to a particular id The problem is, where spamassassin ties into the mail chain, it doesn't have any power to generate emails. It's a message filter, any action beyond modifying the message at hand would be inappropriate. You might want to look at a log watcher like swatch to handle this. In my own setup, I use prelude IDS for log monitoring, and have Nagios configured to fire off alarm emails when the prelude event rate gets too high. However, that's probably very over-complicated if you don't already use both tools for other network monitoring needs.
Re: Howto stop SPF_FAIL from internal network?
Benny Pedersen [EMAIL PROTECTED] writes: spamassassin 21 -D spf -t /tmp/msg /tmp/msg.spf.debug post the debug file https://www.cvg.de/people/ensc/spf_fail.txt (full debug with configuration of | $ sed '/^\(#.*\)\?$/d' ~/.spamassassin/user_prefs | internal_networks 62.153.82.30 | trusted_networks62.153.82.30 | trusted_networks192.168.8.0/23 | trusted_networks!192.168.3.0/24 | msa_networks192.168.0.0/16 result is SPF_NEUTRAL now as I added 192.168.0.0 net to SPF entry) Enrico
RE: SORBS_DUL
Do your own queries and whois lookups...but these address blocks are INCORRECTLY LISTED BY SORBS and they refuse (yes, I've heard from them) to remove them. Apparently because our inbound and outbound MTA's don't use the same addresses! I have no idea what crack-monkey at SORBS wrote that, but that was the response we got in relation to our request to remove our IP's. I hope that clears it up :) Cheers, James Sigh... Can we clear this up for _real_?? ... Regardless of whether or not SORBS listings are accurate or not, or should or should not be included in SA, apparently some people cannot read, or are overly confused... -- Straight from the SORBS website: If you are listed in the Spam Database read the Spam Database FAQ, then and only then you have 2 options. Pay the fine, and get delisted. Argue that you shouldn't have to pay. Paying the fine will get you delisted very quickly (usually within 48 hours)... However, when donating to the Royal Childrens Hospital and sending in the receipt ensure you send in the receipt number (the actual receipt is not needed, only the number - this is usually prefixed 'IR'). Due to privacy laws and the fact SORBS is not part of or connected with the charity. Payment confirmations can only be verified when a receipt number is given along withe the payee's name. Arguing with a SORBS administrator about how you are not the person responsible, or how you just got the address (or any other excuse) will result in a 'boiler plate' reply. It will be blunt and usually impersonal, this may appear rude, but is it not meant to be, it is just meant to be efficient. Note: There are a few good reasons why you may get delisted without paying the fine. These will be dealt with by an admin personally. -- So James - Like it says above, you really have two options. Quit complaining here and pay the AU Hospital and send sorbs the invoice/receipt, or perhaps if you approached the situation without downright rudeness (yes, you sound like a rude person to have to deal with based on your posts.. Sorry!), the admin would deal with you personally, but frankly, if anyone there reads this list-serv, well.. all I can say is good luck with that.. :\ ~Ciao jp
Header of a false negative mail
I would appreciate if folks can explain to me about the header of a false negative email that I received: ... ... Reply-To: Gene Blackwell [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Subject: vPharmacy Big Saving, the very best generic medication on net!! ovapq 3exnri2h To: [EMAIL PROTECTED] X-Sender: [EMAIL PROTECTED] ... ... Question: Why does the header of this false negative do not contain any score information from SA? For other mails, be it hams or spams, I can see that there are scores information written in their headers. This is the full message source of that false negative: Appreciate all comments. Many thanks. -- Roger --- Sign Up for free Email at http://ureg.home.net.my/ ---
Re: Spam abuse report plugin
I get a lot of spam on my servers which get detected by SA though are generated by innocent mail servers. We see a lot of mail users have insanely simple passwords , spammers are using these accounts and send spam. By the time the administrator realizes the server has sent 1000's of spam If spamassassin had an option to send abuse report to servers automatically and send mails to abuse@server-admin the moment the first sure spam comes in the admin could be warned before much damage has been done. Obviously we limit to only 1 or 2 reports in an hour to a particular id You could open a reporting account at SpamCop.net, and carefully redirect certain spam messages to their service (via email). SpamCop then generates an abuse report. After SpamCop receives your report, they send you (the configured email address there) a confirmation mail, which has to be handled by you manually, or by a robot (like spamcup). When confirmed, they send abuse-reports on your behalf. If you want to automate this, it needs some scripting (and automating it may be against SpamCop's policy), but it can be done. Automatic system works quite well, if you can be sure not to post false positives there. Abuse reporting is not SA's job, but it's a job well done by SpamCop.net
Re: Celebrity spams
here is the raw body of one of the emails http://pastebin.com/m71e204d Luis Hernán Otegui wrote: Could you please post a full message to some place accessible to everybody? (e.g., pastebin). -- View this message in context: http://www.nabble.com/Celebrity-spams-tp16274451p16325030.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Spam abuse report plugin
Jari Fredriksson writes: I get a lot of spam on my servers which get detected by SA though are generated by innocent mail servers. We see a lot of mail users have insanely simple passwords , spammers are using these accounts and send spam. By the time the administrator realizes the server has sent 1000's of spam If spamassassin had an option to send abuse report to servers automatically and send mails to abuse@server-admin the moment the first sure spam comes in the admin could be warned before much damage has been done. Obviously we limit to only 1 or 2 reports in an hour to a particular id You could open a reporting account at SpamCop.net, and carefully redirect certain spam messages to their service (via email). SpamCop then generates an abuse report. After SpamCop receives your report, they send you (the configured email address there) a confirmation mail, which has to be handled by you manually, or by a robot (like spamcup). When confirmed, they send abuse-reports on your behalf. If you want to automate this, it needs some scripting (and automating it may be against SpamCop's policy), but it can be done. Automatic system works quite well, if you can be sure not to post false positives there. Abuse reporting is not SA's job, but it's a job well done by SpamCop.net in fact, SpamAssassin supports it using the Spamcop plugin. --j.
Re: SORBS_DUL
James E. Pratt writes: Do your own queries and whois lookups...but these address blocks are INCORRECTLY LISTED BY SORBS and they refuse (yes, I've heard from them) to remove them. Apparently because our inbound and outbound MTA's don't use the same addresses! I have no idea what crack-monkey at SORBS wrote that, but that was the response we got in relation to our request to remove our IP's. I hope that clears it up :) Cheers, James Sigh... Can we clear this up for _real_?? ... Regardless of whether or not SORBS listings are accurate or not, or should or should not be included in SA, apparently some people cannot read, or are overly confused... [...] If you are listed in the Spam Database read the Spam Database FAQ, then and only then you have 2 options. Pay the fine, and get delisted. Actually, I think you're the one who's confused. That's the SORBS Spam Database, which SpamAssassin does not use due to this delisting fee. James is talking about the DUHL, an entirely different SORBS list. --j.
Re: Spam abuse report plugin
From: ram [EMAIL PROTECTED] Date: Thu, 27 Mar 2008 15:36:04 +0530 To: spamassassin-users users@spamassassin.apache.org Subject: Spam abuse report plugin I get a lot of spam on my servers which get detected by SA though are generated by innocent mail servers. We see a lot of mail users have insanely simple passwords , spammers are using these accounts and send spam. By the time the administrator realizes the server has sent 1000's of spam So you would spam the abuse@ account '-) If spamassassin had an option to send abuse report to servers automatically and send mails to abuse@server-admin the moment the first sure spam comes in the admin could be warned before much damage has been done. Obviously we limit to only 1 or 2 reports in an hour to a particular id Best is to set up something to use 'spamassassin -r' (report) feature. Set up a SpamCop account, put that information in local.cf. SpamCop will scan the emails for uri's add them to uri blacklists, add the server to spamcop blacklists, track down the responsible isp, and pre-format a complain email. If you have DCC and RAZOR, it will also submit the information to those databases. NOTE: YOU DO NOT WANT TO AUTOMATICALLY SEND REPORTS AS THIS _WILL_ SPAM INNOCENT, FORGED DOMAINS ADDING TO THE BACKSCATTER PROBLEMS. -- Michael Scheidell, CTO |SECNAP Network Security Winner 2008 Network Products Guide Hot Companies FreeBSD SpamAssassin Ports maintainer Charter member, ICSA labs anti-spam consortium _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: Spam abuse report plugin
On Thu, 2008-03-27 at 10:04 -0400, Michael Scheidell wrote: From: ram [EMAIL PROTECTED] Date: Thu, 27 Mar 2008 15:36:04 +0530 To: spamassassin-users users@spamassassin.apache.org Subject: Spam abuse report plugin I get a lot of spam on my servers which get detected by SA though are generated by innocent mail servers. We see a lot of mail users have insanely simple passwords , spammers are using these accounts and send spam. By the time the administrator realizes the server has sent 1000's of spam So you would spam the abuse@ account '-) If spamassassin had an option to send abuse report to servers automatically and send mails to abuse@server-admin the moment the first sure spam comes in the admin could be warned before much damage has been done. Obviously we limit to only 1 or 2 reports in an hour to a particular id Best is to set up something to use 'spamassassin -r' (report) feature. Set up a SpamCop account, put that information in local.cf. SpamCop will scan the emails for uri's add them to uri blacklists, add the server to spamcop blacklists, track down the responsible isp, and pre-format a complain email. Ok. Will definitely try this Thanks. Does this work with the free spamcop report id too If you have DCC and RAZOR, it will also submit the information to those databases. NOTE: YOU DO NOT WANT TO AUTOMATICALLY SEND REPORTS AS THIS _WILL_ SPAM INNOCENT, FORGED DOMAINS ADDING TO THE BACKSCATTER PROBLEMS. I personally dont like the traditional spamcop report method of forwarding Spamcop uses a double confirm method, and to confirm all mails is a pain. I will look at how to automate this. I trust spamcop should not mind. This is building spamcops database of spam originating machines I do not see how I will spam the abuse@domain or contribute to backscatter, because the report will not be sent to the email-from domain , but to the administrator of the mailserver from where the mail originated ( That could be forged too .. but the percentages are too small to bother about ), I assume these ips will have PTR's and point to proper domains else discard anyway 2 report mails an hour , will not spam an abuse@ account IMHO Thanks Ram
Re: Celebrity spams
why not :- util_rb_2tld grupogsv.com as that appears as part of the link ? Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - penny/dell [EMAIL PROTECTED] wrote: here is the raw body of one of the emails http://pastebin.com/m71e204d Luis Hernán Otegui wrote: -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: SORBS_DUL
James Gray wrote: Matt Kettler wrote: James Gray wrote: Sorbs sux, don't use it. Last time we had this problem they wanted money (and not an insignificant amount either) to remove a listing from their systems. They arbitrarily add addresses to a database the IP's owner can't control, then demand money to remove the listing; where I come from, that's called extortion. SORBS is an Australian entity, so they're local to you, at least in a legal system sense.. If it is extortion in your legal system, you might want to take advantage of that fact. Yes I'm aware of that :-/ Embarrassing isn't it? Unfortunately, being on SORBS_DUL doesn't impact us directly, and despite the claims that removal is free, th reality is proving to be quite different. Regardless, what matters from a spamassassin perspective is the accuracy of the list. That's the primary criteria that will get a list kicked out. Indeed. Having not used SORBS, and not missing them, I have no stats of my own to confirm or deny the accuracy of the list. Only that our IP blocks have been listed and we have been given no explanation why; only that we must overhaul our DNS and MTA systems to suit SORBS, then maybe they will delist us. SORBS-DUL is one of the most accurate RBLs spamassassin uses in the mass-check tests. 99.4% of its hits are spam. This beats out all other RBLs in spamassassin's config except PBL (which ties it), XBL, and 4 lists with very low hit rates that wound up with no nonspam hits. See above. If it's really as arbitrary and random as you claim, how's it so accurate in real world tests? No idea. I'd hazard a guess that the previous admin's actions at some point got us listed; but he's moved to the opposite side of the country and the silence from SORBS as to why we were listed in the first place leaves me with one of two conclusions: previous admin screwed up royally (possible but unlikely), SORBS listed our IP's without fair justification. Personally, it sounds like they listed you, and you've got a personal beef. The real world tests don't support your claims that it's operated on an arbitrary basis. I've just got customers (ISP's) on my back to get the MTA's IPs off the list. SORBS are being about as unco-operative as I've ever experienced in my years as an admin. My frustrations are firmly aimed at the one body that is causing me pain: SORBS. When all this is over, I still wont use SORBS :) We've crossed paths on other lists Matt, thanks for your objectivism. I need sleep and some quiet (from the customers and management) so maybe some of comment regarding SORBS have been a little harsh. Interestingly the customers (mostly APAC ISP wholesalers) *all* have similar opinions of SORBS as an entity to interact with. and you continue. please stop this now. if you have real information about sorbs or any dnsbl, say it, but once again, provide evidence. if it's just litterature, we don't care. 1) you started this thread by accusing sorbs of many things without providing any evidence (what IP, what you did to get delisted, ... etc) and when I asked you, you went saying random stuff. then you continued insulting sorbs people (crack-monkey...). 2) At the same time: - the address you use had a bogus MX (didn't check if you fixed this) - two of the IPs you showed didn't have rDNS (like most IPs of your block) - your NS servers had a TTL of less about 7 minutes. whether this is RFC compliant or not is irrelavant. No RFC forbids spam. and in any case, this can hardly match your claim ... The default TTL is the recommended 3600 seconds for both forward and reverse... these few points give you a bad reputation. as a result, you need to do efforst to become nuetral, lest to be able to claim things against a widely used DNSBL. 3) After few exchanges, we learn that the network was administered by someone else. you didn't say this at start. if we continue, may be we'll learn other stuff... 4) you feel very confortable at attacking others without accepting your share of responsibility. it's someone else's fault... don't you think it's too easy? 5) instead of asking for information first, you started a crusade. this is not the way to go. more people know sorbs than you. 6) you'll have a hard time convincing me that being listed at sorbs causes SA to tag your mail as spam. as I said earlier, SA is score based and being listed at sorbs is not enough. in fact, you are frustrated and want a revenge. This is not the right place. 7) you failed to find the mailing list address on the sorbs site. a simple search of mailing with a browser finds it immediately. 8) your Talk to some admins who've been in this situation. is completely silly. This is not honest as it suggests to the unaware reader that sorbs has many problems. besides, most problems we have are caused by some admins. 9) there is no evidence that your network didn't spam people before.
Net::DNS .060 allows remote attackers to cause DOS
From: http://search.cpan.org/src/OLAF/Net-DNS-0.63/Changes Fix rt.cpan.org #30316 Security issue with Net::DNS Resolver. Net/DNS/RR/A.pm in Net::DNS 0.60 build 654 allows remote attackers to cause a denial of service (program croak) via a crafted DNS response (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6341). Packet parsing routines are now enclosed in eval blocks to trap exception and avoid premature termination of user program. Fix: Update to 0.63. Note: to Freebsd Ports SpamAssassin users: A minor update to SA will include dependency on 0.63. pt-Net-DNS was updated on ports tree 10 days ago: http://www.freebsd.org/cgi/query-pr.cgi?pr=120702 An official update to SA ports version 3.4.2_3 will be send to ports shortly. -- Michael Scheidell, CTO Main: 561-999-5000, Office: 561-939-7259 *| *SECNAP Network Security Corporation Winner 2008 Technosium hot company award. www.technosium.com/hotcompanies/ http://www.technosium.com/hotcompanies/ _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: OT: uribl.com folks awake?
Jonathan Nichols wrote: div class=moz-text-flowed style=font-family: -moz-fixedSorry for the OT. I've been trying to get in touch with whoever is in charge of URIBL zonefile mirrors without success. Is this thing on? Ping me offlist, por favor. I may have just been pinging the wrong people. http://www.uribl.com/contact.shtml --- For DNS questions not related to listings.. that includes zone information, transfers, outages, etc. Use dnsadmin at uribl dot com mailto:[EMAIL PROTECTED]. Have you done that? -- Dallas Engelken [EMAIL PROTECTED] http://uribl.com
Blogspot spam update information (NetCraft statistics)
According to the Netcraft News for March, 2008, they showed some interesting growth in Blogspot. Google increases its developer share by gaining 842 thousand hostnames; most of which are used for blogspot.com blogs. I wonder how many of those 842,000 blogspot.com blogs were autocreated spam sites? Also, if that will drop next month as Google hopefully figures out how to slow down the bots, and deletes the existing spamsites.
Re: Net::DNS .060 allows remote attackers to cause DOS
Michael Scheidell writes: From: http://search.cpan.org/src/OLAF/Net-DNS-0.63/Changes Fix rt.cpan.org #30316 Security issue with Net::DNS Resolver. Net/DNS/RR/A.pm in Net::DNS 0.60 build 654 allows remote attackers to cause a denial of service (program croak) via a crafted DNS response (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6341). Packet parsing routines are now enclosed in eval blocks to trap exception and avoid premature termination of user program. worth noting this -- https://bugzilla.redhat.com/show_bug.cgi?id=426437 : Comment #1 From Josh Bressers (Security Response Team) on 2008-01-07 21:12 EST This issue has no security impact. The flaw will cause Net::DNS to croak, which in turn should be handled by the calling application. In the case of RHEL, the only known application that uses this functionality is Spamassassin. Spamassassin handles this failure gracefully and continues to function, minus the DNS tests. we haven't seen details of the vulnerability, but I think Josh's take on the issue sounds correct. if anyone has a demo of the bug, please pass it on so we can try it out. --j.
Re: Net::DNS .060 allows remote attackers to cause DOS
Justin Mason wrote: This issue has no security impact. The flaw will cause Net::DNS to croak, which in turn should be handled by the calling application. In the case of RHEL, the only known application that uses this functionality is Spamassassin. Spamassassin handles this failure gracefully and continues to function, minus the DNS tests. we haven't seen details of the vulnerability, but I think Josh's take on the issue sounds correct. if anyone has a demo of the bug, please pass it on so we can try it out. i guess a 'croak' isn't a dos... ;-) its in freebsd ports, a 'portupgrade p5-Net-DNS' should update it quickly. --j. -- Michael Scheidell, CTO Main: 561-999-5000, Office: 561-939-7259 *| *SECNAP Network Security Corporation Winner 2008 Technosium hot company award. www.technosium.com/hotcompanies/ http://www.technosium.com/hotcompanies/ _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
What to do about address spoofing
Hello, Is there something I can do that our company addresses cannot be used for sending spam ? Is DKIM an answer ? A lot of our users get delivery failed messages. So a spammer is sending spam with our addresses :-( A difficult problem I think ? Greetings... Richard Smits
RE: :DNS .060 allows remote attackers to cause DOS
From: http://search.cpan.org/src/OLAF/Net-DNS-0.63/Changes Fix rt.cpan.org #30316 Security issue with Net::DNS Resolver. Net/DNS/RR/A.pm in Net::DNS 0.60 build 654 allows remote attackers to cause a denial of service (program croak) via a crafted DNS response (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6341). Packet parsing routines are now enclosed in eval blocks to trap exception and avoid premature termination of user program. Fix: Update to 0.63. Note: to Freebsd Ports SpamAssassin users: A minor update to SA will include dependency on 0.63. pt-Net-DNS was updated on ports tree 10 days ago: http://www.freebsd.org/cgi/query-pr.cgi?pr=120702 An official update to SA ports version 3.4.2_3 will be send to ports shortly Hm. Is the post above from Scheidell a BSD *port* update only related issue posting ??? There have been 3 updates to perl-Net-DNS in the last 8 months since .60 We have been using .63 since about Feb 21 2008 - rh
RE: What to do about address spoofing
R.Smits wrote: Hello, Is there something I can do that our company addresses cannot be used for sending spam ? Is DKIM an answer ? A lot of our users get delivery failed messages. So a spammer is sending spam with our addresses :-( A difficult problem I think ? Greetings... Richard Smits There is really nothing that you can do to prevent spammers from using your address. You can do things like DKIM and SPF to attempt to validate good mail from your domain, but this relies on the receiving server doing the necessary checks. We are having the same problem. One of our addresses has been used consistently by spammers for the past couple of years. Recently the problem has gotten much worse. This address has received over 57,000 bounce messages in the past two weeks! I now have a rule in my mail server to detect and drop these messages. -- Bowie
RE: Spam abuse report plugin
As long as you whitelist MailScanner.info I am sick to my teeth of receiving abuse reports about a domain that never sends email and is used to block spam /me wanders off to rant elsewhere -- Mr Michele Neylon Blacknight Solutions Hosting Colocation, Brand Protection http://www.blacknight.com/ http://blog.blacknight.com/ Intl. +353 (0) 59 9183072 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 --- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
Re: Spam abuse report plugin
As long as you whitelist MailScanner.info I am sick to my teeth of receiving abuse reports about a domain that never sends email and is used to block spam /me wanders off to rant elsewhere WTF? is this all about? Who has reported MailScanner.info as a spammer?
purge byes in sql
Hi, does SA takes care of purging old bayesian records stored in mysql similar what it does to the traditional DB files? If not, what is the recommended procedure to do so? regards
Re: What to do about address spoofing
Bowie Bailey wrote: R.Smits wrote: Hello, Is there something I can do that our company addresses cannot be used for sending spam ? Is DKIM an answer ? A lot of our users get delivery failed messages. So a spammer is sending spam with our addresses :-( A difficult problem I think ? Greetings... Richard Smits There is really nothing that you can do to prevent spammers from using your address. You can do things like DKIM and SPF to attempt to validate good mail from your domain, but this relies on the receiving server doing the necessary checks. We are having the same problem. One of our addresses has been used consistently by spammers for the past couple of years. Recently the problem has gotten much worse. This address has received over 57,000 bounce messages in the past two weeks! I now have a rule in my mail server to detect and drop these messages. At least _part_ of this problem could be fixed by more sites using a valid rcptto check _before_ they accept the message, rather than taking any and all messages to their domain, THEN spamming everyone with rejections. I used to have hundreds of 'can't send the failure message' messages in my queue prior to enabling this for most customers. Now it's down to two or three, at most, from people inside the customer site doing strange things.
Re: purge byes in sql
On Thu, Mar 27, 2008 at 11:32:17AM -0600, Miguel wrote: Hi, does SA takes care of purging old bayesian records stored in mysql similar what it does to the traditional DB files? Yes. -- Randomly Selected Tagline: My opinions may have changed, but not the fact that I am right. - Ashleigh Brilliant pgp3aNSXcjhLM.pgp Description: PGP signature
RE: Spam abuse report plugin
Jari A LOT of clueless mail server admins send us reports about mailscanner.info We have a standard reply telling them to get a $clue, but I'd prefer that my staff's time was spent dealing with proper issues :) -- Mr Michele Neylon Blacknight Solutions Hosting Colocation, Brand Protection http://www.blacknight.com/ http://blog.blacknight.com/ Intl. +353 (0) 59 9183072 Locall: 1850 929 929 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 --- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
tmp file handling
I'm currently running spamassassin 3.2.1-1~bpo.1 from the Debian etch-backports branch (yes, I know that backports now has 3.2.4 available, and I'll be upgrading shortly). On my installation, I'm calling SpamAssassin from MIMEDefang, and so I'm not running spamc and spamd . I just discovered that over the last several weeks, I'm getting an accumulation of hidden .spamassassin temporary files accumulating in /tmp, that aren't getting deleted, and as a result, that volume is filling up. I'm not aware of any operational changes that have been made, so this one is puzzling. I can easily set a cron job to find and discard the accumulation, but I'd prefer to find the source of why these files are getting left in /tmp, and fix the problem, rather than simply managing the symptoms. Any idea of why this might be happening? Smith
RE: tmp file handling
-Original Message- From: news [mailto:[EMAIL PROTECTED] On Behalf Of NFN Smith Sent: Thursday, March 27, 2008 2:35 PM To: users@spamassassin.apache.org Subject: tmp file handling I'm currently running spamassassin 3.2.1-1~bpo.1 from the Debian etch-backports branch On my installation, I'm calling SpamAssassin from MIMEDefang, and so I'm not running spamc and spamd . I just discovered that over the last several weeks, I'm getting an accumulation of hidden .spamassassin temporary files accumulating in /tmp, that aren't getting deleted, and as a result, that volume is filling up. There was a version upgrade to SpamAssassin some time ago that broke the way MIMEDefang was handling those files. David released a new version of MD shortly thereafter that fixed the issue. Jason A. Bertoch Network Administrator [EMAIL PROTECTED] Electronet Broadband Communications 3411 Capital Medical Blvd. Tallahassee, FL 32308 (V) 850.222.0229 (F) 850.222.8771
Re: tmp file handling
Jason Bertoch wrote: I just discovered that over the last several weeks, I'm getting an accumulation of hidden .spamassassin temporary files accumulating in /tmp, that aren't getting deleted, and as a result, that volume is filling up. There was a version upgrade to SpamAssassin some time ago that broke the way MIMEDefang was handling those files. David released a new version of MD shortly thereafter that fixed the issue. Hmmm... So this may be an issue with MIMEDefang. The Debian release number of MIMEDefang I'm running is 2.57-5. It may be that when Debian froze what went into etch, the current copy of MD was the one with that glitch in it. I'll check the MD archives for release notes, and see what's in the Testing branch. Thanks for the tip. Smith
Re: What to do about address spoofing
R.Smits wrote: Hello, Is there something I can do that our company addresses cannot be used for sending spam ? Is DKIM an answer ? A lot of our users get delivery failed messages. So a spammer is sending spam with our addresses :-( A difficult problem I think ? you can reject (or tag) some of these by looking for forgery signs, provided the NDR reports the headers of the original message. for instance, nothing on earth should put a Received header with by netoyen.net, from netoyen.net or helo netoyen.net (the domain name is never used without a host label). unfortunately, some sites send plain dumb NDRs: you can't even guess the original sender (because some sites send NDRs to the From header, mostly because of broken mix of software that loses the envelope sender). Most of these are from sites that fail to validate recipients at reception time (at the edge of their network). this setup was once considered valid, but in these joe job days, it is no more acceptable (some sites even include the original attachment, which may be spammy or even infected). For this reason, blacklisting may be appropriate. The rare times I tried complaining to postmaster and abuse, I got an NDR (again?). And once, I got directions on how to remove viruses from my machine (!!!) together with links to symantec (so not only do they ignore complaints, but they use them to send commercial ads!). of course, the ISP (wanadoo.fr) was overwhelmed (I alone got 2000 NDRs in few hours. this should give an idea about the number of NDRs they sent) and sat up an auto-responder targetting their users (since then, they no more send backscatter. so the situation is good for us, but not for their users, who reportedly lose mail). from experience, backscatter storms have a relatively short duration for a given address (spam run). if this happens to you, you can block NDRs for the victim address until the storm stops. in case this is too risky, most of the times, the original messages have common patterns (they got out via few hosts, they have the same structure, charset, ...) so simple header and body matching can catch them.
Re: tmp file handling
NFN Smith wrote: Hmmm... So this may be an issue with MIMEDefang. The Debian release number of MIMEDefang I'm running is 2.57-5. It may be that when Debian froze what went into etch, the current copy of MD was the one with that glitch in it. I'll check the MD archives for release notes, and see what's in the Testing branch. Just checked the changelog; there was a fix for this in MD 2.63 upstream: 2007-08-13 David F. Skoll [EMAIL PROTECTED] * VERSION 2.63 RELEASED * mimedefang.pl.in(spam_assassin_status): Call $mail-finish() to prevent temporary files from accumulating. Backporting the Debian package should be a matter of snagging the source from testing or unstable and rebuilding on stable. I'd suggest unstable unless it has bizarre dependencies on too many things. You might also check the volatile repository; there might be a newer MD in there. (As well as SA, come to think of it.) -kgd
Re: tmp file handling
NFN Smith wrote: The Debian release number of MIMEDefang I'm running is 2.57-5. It may be that when Debian froze what went into etch, the current copy of MD was the one with that glitch in it. I'll check the MD archives for release notes, and see what's in the Testing branch. The fix went into MIMEDefang 2.63. That's only one release back (the latest is 2.64), so you might want to look into the 2.64 changes while you're at it. Relevant section from the 2.63 changelog: mimedefang.pl.in(spam_assassin_status): Call $mail-finish() to prevent temporary files from accumulating. http://mimedefang.org/node.php?id=64 -- Kelson Vibber SpeedGate Communications www.speed.net
Re: tmp file handling
Kris Deugau wrote: NFN Smith wrote: I'll check the MD archives for release notes, and see what's in the Testing branch. Just checked the changelog; there was a fix for this in MD 2.63 upstream: Yep. I found that shortly after I posted. Backporting the Debian package should be a matter of snagging the source from testing or unstable and rebuilding on stable. I'd suggest unstable unless it has bizarre dependencies on too many things. You might also check the volatile repository; there might be a newer MD in there. (As well as SA, come to think of it.) In Debian, 2.64-1 are the current versions in both Testing and Unstable. As a general rule, I try to not use stuff from Unstable on working servers. I checked, and there's updates for SA at volatile.debian.org, but not for MD. For now, I think getting MD 2.64-1 from Testing will do what I need. Thanks for the responses. Smith
Re: Net::DNS .060 allows remote attackers to cause DOS
Michael Scheidell wrote: From: http://search.cpan.org/src/OLAF/Net-DNS-0.63/Changes Fix rt.cpan.org #30316 Security issue with Net::DNS Resolver. Net/DNS/RR/A.pm in Net::DNS 0.60 build 654 allows remote attackers to cause a denial of service (program croak) via a crafted DNS response (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6341). Packet parsing routines are now enclosed in eval blocks to trap exception and avoid premature termination of user program. Fix: Update to 0.63. Note: to Freebsd Ports SpamAssassin users: A minor update to SA will include dependency on 0.63. pt-Net-DNS was updated on ports tree 10 days ago: http://www.freebsd.org/cgi/query-pr.cgi?pr=120702 An official update to SA ports version 3.4.2_3 will be send to ports shortly. you mean 3.4.2_3 I guess. PS. shouldn't the audit db be updated?
Re: What to do about address spoofing
On Thu, 2008-03-27 at 16:05, R.Smits wrote: Hello, Is there something I can do that our company addresses cannot be used for sending spam ? Is DKIM an answer ? A lot of our users get delivery failed messages. So a spammer is sending spam with our addresses :-( A difficult problem I think ? It might be co-incidence, but the amount of back-scatter[1] I was getting dried up very soon after I set up an SFP record for my domain. Backscatter is now almost non-existent. See http://www.openspf.org/ for a definition and http://www.kitterman.com/spf/validate.html for useful tools for creating and testing an SFP record. [1] mail rejection notices received as the result of my address being forged as the sender of spam. Martin
Re: Header of a false negative mail
Sn!per wrote: I would appreciate if folks can explain to me about the header of a false negative email that I received: ... ... Reply-To: Gene Blackwell [EMAIL PROTECTED] Sender: [EMAIL PROTECTED] Subject: vPharmacy Big Saving, the very best generic medication on net!! ovapq 3exnri2h To: [EMAIL PROTECTED] X-Sender: [EMAIL PROTECTED] ... ... Question: Why does the header of this false negative do not contain any score information from SA? For other mails, be it hams or spams, I can see that there are scores information written in their headers. This is the full message source of that false negative: Appreciate all comments. Many thanks. Well, I can only conclude the message was never fed to SpamAssassin. There's no way to stop SA from at least adding an X-Spam-Checker-Version header to every message it scans, short of modifying the code. Can you tell us a bit about your setup? How do you integrate SA into your mail chain? Procmail? Does your domain have multiple MXes? Did the message come in through a lower-priority MX than the rest of your mail?
Unsubscribe
Hi, Can you please tell me how to unsubscribe to this mailing list. I tried all that they suggested on the website but failed. Thanks. _ In a rush? Get real-time answers with Windows Live Messenger. http://www.windowslive.com/messenger/overview.html?ocid=TXT_TAGLM_WL_Refresh_realtime_042008
Re: Unsubscribe
Femitha Majeed wrote: Hi, Can you please tell me how to unsubscribe to this mailing list. I tried all that they suggested on the website but failed. Could you be more specific? The SpamAssassin lists website (http://wiki.apache.org/spamassassin/MailingLists) advises you send mail to [EMAIL PROTECTED] Is that what you did? What happened? Did you get anything back in response?
Detail Spam Scoring
We used to get detailed spam scoring in the email headers but it seems to have disappeared after installing 3.2.4. Is there some command for turning the detailed scoring back on. Can someone please tell me what it is? Thanks Best Regards, Jeff Koch, Intersessions
Bounce back spam
Our users are getting inundated with bounce-back, joe-job spam. We have the
Vbounce.pm plugin enabled (v3.2.4) and have a 'whitelist_bounce_relays'
with the name of the mailserver in the local.cf file and the 'failure
notices', 'mail delay' and undeliverables don't seem to be getting any
score at all.
Here's the portion of the header from one showing almost no score: ('s
added to protect our innocent mailserver.)
Received: (qmail 29961 invoked for bounce); 28 Mar 2008 03:48:18 +0900
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on x.x.com
X-Spam-Status: No, score=0.1 required=5.0 tests=MISSING_MID,RDNS_NONE
autolearn=no version=3.2.4
Hi. This is the qmail-send program at xsp.fenics.jp.
I'm afraid I wasn't able to deliver your message to the following addresses.
This is a permanent error; I've given up. Sorry it didn't work out.
Best Regards,
Jeff Koch, Intersessions
Re: Bounce Back Spam
Hi Matus: Thanks but I don't even see these rules getting triggered. We have the plugin enabled and the 'whitelist_bounce_relays mailserver_name' line in local.cf At 12:09 PM 3/25/2008, you wrote: On 25.03.08 12:00, Jeff Koch wrote: Our users are getting tons of bounce-back (joe job) spam starting Monday. The bounces-backs are getting very low scores. Is there anything we can do/change/adjust in SA to block these? load VBounce plugin and increase scores for BOUNCE_MESSAGE, CRBOUNCE_MESSAGE, VBOUNCE_MESSAGE and ANY_BOUNCE_MESSAGE maybe SA could look at included headers (if they are RFC822 bounces) to check if the original message was spam, and score apropriately, if it was -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Emacs is a complicated operating system without good text editor. Best Regards, Jeff Koch, Intersessions Best Regards, Jeff Koch, Intersessions
