RE: exclude domain from server-wide
I am running a qmail + simscan + spamassassin + clamav on a centos 5.3. Regards there are many ways to do it... you could try @example.com in your /var/qmail/control/badmailfrom might work... depending on some factors... you could smtp reject above a certain score and do a blacklist in your SA configs and reject it that way... lots of ways... be creative... Thanks you guys for replying. What I meant was, is there a way to exclude one of my virtual domains. The client would like to filter mails with their mail client instead
Re: Other DNSBL's
I'm looking to add other DNSBL's to tomorrow's weekly mass check. I realize most of them probably are too broken to bother, but it would be nice to get some real numbers to confirm it so since the Internet lacks any real DNSBL comparisons that include Ham FP safety. If you are looking for real numbers, this should be helpful for you: Blacklists Compared - weekly reports of DNS blacklists lookups http://www.sdsc.edu/~jeff/spam/cbc.html Blacklist Monitor - accuracy and inaccuracy rates of various blacklists http://www.intra2net.com/en/support/antispam/ Please pay attention that some blacklists do only list IP addresses for hours. When running the mass check you need realtime data to get reliable results. -- Bjoern Sikora
Re: Other DNSBL's
(back from vacation ;) BTW, could you add tflags nopublish to any rules? or use a T_ prefix on the rule names. that will ensure the testing rules won't get into any published ruleset accidentally. this is very important to avoid accidentally causing a production-level DOS on the BL's servers --j. On Fri, Oct 16, 2009 at 14:41, Warren Togami wtog...@redhat.com wrote: I'm looking to add other DNSBL's to tomorrow's weekly mass check. I realize most of them probably are too broken to bother, but it would be nice to get some real numbers to confirm it so since the Internet lacks any real DNSBL comparisons that include Ham FP safety. http://antispam.imp.ch/06-dnsbl.html This one seems to have 3% of the hits compared to PSBL, so I am not bothering to test it in masscheck. http://bl.csma.biz/ It seems that this blacklist is simply dead. Zero hits on their SBL list within the last day. Any other DNSBL's out there that you folks use that are worth comparing? Warren Togami wtog...@redhat.com -- --j.
RE: Constant Contact
Tara Natanson wrote: On Fri, Oct 16, 2009 at 12:49 PM, Adam Katz antis...@khopis.com wrote: Does anybody here know anything about the legitimacy of Constant Contact http://www.constantcontact.com/anti_spam.jsp ? Hello, I work for Constant Contact. We take reports of spam very seriously. Complaints are processed through our abuse@ address but you won't ever hear what happened to it there other than an auto-ack. If you'd like to send me any complaints I can let you know what became of them. We have a very large compliance and list review group who investigates the complaints and speaks with customers about where their lists came from etc.. Of course we do a lot of preprocessing of their lists when they upload them so we can detect bad senders before they even mail. Therein lies the problem. Some of your less-reputable customers (if not all of them - we have no way of telling) are uploading dodgy distribution lists which have not been double-opted in. When Constant Contact gets a clue and automatically requests an opt-in confirmation for ALL email addresses uploaded in bulk by their customers then I'll stop adding a a high score in SA. Obviously some gets through (or we wouldn't be having this conversation) and for that we rely on complaints/bounce rates/unsubscribe rates to point us to the problems. feel free to reply to me offlist if you want further info. Tara Natanson If it is any consolation, you're not the only bulk-email service that suffers from this problem. Cheers, Phil -- Phil Randal | Networks Engineer NHS Herefordshire Herefordshire Council | Deputy Chief Executive's Office | I.C.T. Services Division Thorn Office Centre, Rotherwas, Hereford, HR2 6JT Tel: 01432 260160 email: pran...@herefordshire.gov.uk Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it. Any opinion expressed in this e-mail or any attached files are those of the individual and not necessarily those of Herefordshire Council. You should be aware that Herefordshire Council monitors its email service. This e-mail and any attached files are confidential and intended solely for the use of the addressee. This communication may contain material protected by law from being passed on. If you are not the intended recipient and have received this e-mail in error, you are advised that any use, dissemination, forwarding, printing or copying of this e-mail is strictly prohibited. If you have received this e-mail in error please contact the sender immediately and destroy all copies of it.
Re: Constant Contact
I get junk from these guys all of the time, others that have followed the 'opt-out' IMO just use it to confirm an email address for sale to others, such as themselves. Maybe I am just extra paranoid, but marketers should just stick to a web search for people that want to purchase from them. Unsolicited email is a quagmire, email marketers do it indiscriminately. If they want to advertise on my server, ad time costs money, they can pay me for using my server for their stuff. Once it enters my ethernet port, it is mine, quite frankly, they should pay me to advertise on my servers. Their junk cost me time and maintenance, so I need to recover those costs, or blacklist them. No such thing as a 'good' spammer, JMO.
anyone collecting French 419 scams?
Lately, a few 419 scams have been slipping through to me, written in French - I get two or three a week. It's sort of amusing to me, but wondered if anyone is collecting them to write rules. X-Spam-Status: No, score=4 tagged_above=-999 required=4.5 tests=[BOTNET_SOHO=-0.1, L_P0F_UNKN=0.8, RAZOR2_CHECK=0.5, UNWANTED_LANGUAGE_BODY=2.8] http://pastebin.com/m693d3d17 -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com signature.asc Description: This is a digitally signed message part
Re: anyone collecting French 419 scams?
On Mon, 19 Oct 2009, McDonald, Dan wrote: Lately, a few 419 scams have been slipping through to me, written in French - I get two or three a week. It's sort of amusing to me, but wondered if anyone is collecting them to write rules. X-Spam-Status: No, score=4 tagged_above=-999 required=4.5 tests=[BOTNET_SOHO=-0.1, L_P0F_UNKN=0.8, RAZOR2_CHECK=0.5, UNWANTED_LANGUAGE_BODY=2.8] http://pastebin.com/m693d3d17 I'd be happy to see them. I'm working on updating the Advance Fee 419 ruleset and your samples would be welcome. Feel free to gzip up a mbox and send it to me. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Think Microsoft cares about your needs at all? A company wanted to hold off on upgrading Microsoft Office for a year in order to do other projects. So Microsoft gave a 'free' copy of the new Office to the CEO -- a copy that of course generated errors for anyone else in the firm reading his documents. The CEO got tired of getting the 'please re-send in XX format' so he ordered other projects put on hold and the Office upgrade to be top priority.-- Cringely, 4/8/2004 --- 18 days since a sunspot last seen - EPA blames CO2 emissions
Re: anyone collecting French 419 scams?
On Mon, 19 Oct 2009, McDonald, Dan wrote: http://pastebin.com/m693d3d17 One thing that leaps right out at me is the encoded characters (e.g. #3648;) in a text/plain body part. Does tis-620 provide for that? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Think Microsoft cares about your needs at all? A company wanted to hold off on upgrading Microsoft Office for a year in order to do other projects. So Microsoft gave a 'free' copy of the new Office to the CEO -- a copy that of course generated errors for anyone else in the firm reading his documents. The CEO got tired of getting the 'please re-send in XX format' so he ordered other projects put on hold and the Office upgrade to be top priority.-- Cringely, 4/8/2004 --- 18 days since a sunspot last seen - EPA blames CO2 emissions
Re: Constant Contact
When Constant Contact gets a clue and automatically requests an opt-in confirmation for ALL email addresses uploaded in bulk by their customers then I'll stop adding a a high score in SA. The problem with that is that most of Constant Contact's customers are small business that may have users who opted in out-of-band. Hey, Mr. Pooser, we have an email list with monthly discounts-- can we add you to that list? Yeah, I'd read that. Great, just write your email address here on this clipboard If CC makes it too hard for those mom and pop shops to use their service, they'll go somewhere else. So CC can't be too draconian (or they'll lose customers) or too loosey-goosey (or they'll be blacklisted). My own experience with CC has been fine-- when I report a spammer they get nuked fast, and over 99% of the mail received from CC at $ORKPLACE is requested by my users. No complaints here. -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com And the beer I had for breakfast Wasn't bad, so I had one more for dessert.
Re: anyone collecting French 419 scams?
I'd be happy to see them. I'm working on updating the Advance Fee 419 ruleset and your samples would be welcome. Feel free to gzip up a mbox and send it to me. I have a ruleset at http://www.tradoc.fr/spamassassin/fraude_fr.cf that, while it hasn't been actively updated for a while, still hits a few classic Nigerian scams in French. Some of its subtests hit on Dan's sample, but not enough to trigger the meta rule... John. -- -- Over 4000 webcams from ski resorts around the world - www.snoweye.com -- Translate your technical documents and web pages- www.tradoc.fr
KHOP_RCVD_UNTRUST
After testing the khop rules for a few days, I noticed one oddity. TOP HAM RULES FIRED RANKRULE NAME COUNT %OFRULES %OFMAIL %OFSPAM %OFHAM 8KHOP_RCVD_UNTRUST 410 3.27 11.400.20 19.39 This is a 1-point rule which is hitting 19% of my ham and almost no spam. Should this rule be removed, or at least scored lower? -- Bowie
Re: KHOP_RCVD_UNTRUST
On 10/19/2009 10:11 AM, Bowie Bailey wrote: After testing the khop rules for a few days, I noticed one oddity. TOP HAM RULES FIRED RANKRULE NAME COUNT %OFRULES %OFMAIL %OFSPAM %OFHAM 8KHOP_RCVD_UNTRUST 410 3.27 11.400.20 19.39 This is a 1-point rule which is hitting 19% of my ham and almost no spam. Should this rule be removed, or at least scored lower? KHOP rules contained some useful ideas, but many appeared to be suspect to me so I didn't use it myself. They need to be tested in nightly masscheck to determine their true safety and efficacy. Warren Togami wtog...@redhat.com
Re: KHOP_RCVD_UNTRUST
Bowie Bailey wrote: After testing the khop rules for a few days, I noticed one oddity. TOP HAM RULES FIRED - RANKRULE NAME COUNT %OFRULES %OFMAIL %OFSPAM %OFHAM - 8KHOP_RCVD_UNTRUST 410 3.27 11.400.20 19.39 - This is a 1-point rule which is hitting 19% of my ham and almost no spam. Should this rule be removed, or at least scored lower? It fires only on mail passing through third-party-whitelisted relays like HostKarma-W and DNSWL. That one point is merely limiting the 2+ negative points assigned by the relays, so the net is still negative. However, I've been noticing those third-party-whitelisting relays steadily improve over time. My numbers don't lean quite as favorably towards ham as yours, but they've moved quite a bit from the original ratio.
Pulling my hair out
I usually think of myself as pretty capable with a computer but Spamassassin and it's website have made me think twice. I took me 20 minutes just to figure out where this forum was. I feel like Apache is trying to weed out dunderheads like me from using their product. I swear I cannot understand 80% of what is written on the how to install page. I've spent three hours now trying to install this program and cannot imagine that this was written for anyone but a computer programmer. I've searched the internet for help elsewhere and every conversation sounds like a foreign language. How is this user-friendly? I'd really like to support OpenSource but I swear if someone doesn't show me a SIMPLE way to work this, I'm dumping SA and Thunderbird and going back to Outlook. -- View this message in context: http://www.nabble.com/Pulling-my-hair-out-tp25967420p25967420.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Pulling my hair out
amadis wrote: I usually think of myself as pretty capable with a computer but Spamassassin and it's website have made me think twice. I took me 20 minutes just to figure out where this forum was. I feel like Apache is trying to weed out dunderheads like me from using their product. I swear I cannot understand 80% of what is written on the how to install page. I've spent three hours now trying to install this program and cannot imagine that this was written for anyone but a computer programmer. I've searched the internet for help elsewhere and every conversation sounds like a foreign language. How is this user-friendly? I'd really like to support OpenSource but I swear if someone doesn't show me a SIMPLE way to work this, I'm dumping SA and Thunderbird and going back to Outlook. Are you running a mail server? SpamAssassin is a tool intended to be used by people who build mailservers that are used at ISPs and companies. It's not intended to be used by end-users for a single mailbox - although if you had the right kind of account at an ISP you could do that - most people would not. If you want to use SpamAssassin I would suggest you find an ISP in your area that provides mailboxes that are scanned by SpamAssassin. And by the way, Thunderbird has nothing to do with SpamAssassin, and people can access SpamAssassin-protected mailboxes just fine with Outlook. Ted
Re: Pulling my hair out
It would help to explain what operating system you are using, at what point you are stuck at the installation, what you've read and what you've tried. Did you look at http://wiki.apache.org/spamassassin/StartUsing ? At 04:26 PM 10/19/2009, amadis wrote: I usually think of myself as pretty capable with a computer but Spamassassin and it's website have made me think twice. I took me 20 minutes just to figure out where this forum was. I feel like Apache is trying to weed out dunderheads like me from using their product. I swear I cannot understand 80% of what is written on the how to install page. I've spent three hours now trying to install this program and cannot imagine that this was written for anyone but a computer programmer. I've searched the internet for help elsewhere and every conversation sounds like a foreign language. How is this user-friendly? I'd really like to support OpenSource but I swear if someone doesn't show me a SIMPLE way to work this, I'm dumping SA and Thunderbird and going back to Outlook.
Re: Pulling my hair out
All: _IS_ there a Thunderbird plugin for SA? That would seem to be quite useful. 1) install perl for your platform (amadis: the perl language interpreter is required for Spam Assassin) 2) install SA 3) install the (hypothetical) Thunderbird plugin Then you can use SA to augment Thunderbird's build-in Junk detector. Amadis: As far as I've generally used SA, it has been on mail servers, not mail clients. There is an exception to that (for unix users, using something called procmail, but that's off topic from your request. Thunderbird does have built-in junk/spam detection, that you turn on in the Thunderbird preferences. Otherwise, you need to ask your email provider to see about installing Spam Assassin on their server or email-gateway. (if they're using Exchange, to match your desire for Outlook, then they'll need a gateway, as far as I know). JRudd On Mon, Oct 19, 2009 at 16:26, amadis adrieneama...@comcast.net wrote: I usually think of myself as pretty capable with a computer but Spamassassin and it's website have made me think twice. I took me 20 minutes just to figure out where this forum was. I feel like Apache is trying to weed out dunderheads like me from using their product. I swear I cannot understand 80% of what is written on the how to install page. I've spent three hours now trying to install this program and cannot imagine that this was written for anyone but a computer programmer. I've searched the internet for help elsewhere and every conversation sounds like a foreign language. How is this user-friendly? I'd really like to support OpenSource but I swear if someone doesn't show me a SIMPLE way to work this, I'm dumping SA and Thunderbird and going back to Outlook. -- View this message in context: http://www.nabble.com/Pulling-my-hair-out-tp25967420p25967420.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Pulling my hair out
On Mon, 2009-10-19 at 16:26 -0700, an anonymous Nabble user wrote: I usually think of myself as pretty capable with a computer but Spamassassin and it's website have made me think twice. I took me 20 minutes just to figure out where this forum was. I feel like Apache is trying to weed out dunderheads like me from using their product. I swear I cannot understand 80% of what is written on the how to install page. I've spent three hours now trying to install this program and cannot imagine that this was written for anyone but a computer programmer. It is written for, and targeted at admins. SA is not a GUI application aiming for users. It is not even intended to be run on a client machine (even though it works), but a server. I've searched the internet for help elsewhere and every conversation sounds like a foreign language. How is this user-friendly? I'd really like to support OpenSource but I swear if someone doesn't show me a SIMPLE way to work this, I'm dumping SA and Thunderbird and going back to Outlook. Threats like that never help, and rarely yield any useful responses. Given your comments, you're trying to install SA on a Windows running end-user machine? -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Pulling my hair out
SA is only for mail servers?! I wish that had been made clear on the SA website. Even now looking at the homepage and FAQ page I see nothing to that effect. But thank you all who responded for clearing this up. I was beginning to think I must have taken a stupid pill when I woke up this morning. I inferred from Thunderbirds settings "trust junk mail headers set by SA" to mean I needed SA. Apparently not. Not very clear on their part. Thanks to everyone who replied so quickly. Evan Platt wrote: It would help to explain what operating system you are using, at what point you are stuck at the installation, what you've read and what you've tried. Did you look at http://wiki.apache.org/spamassassin/StartUsing ? At 04:26 PM 10/19/2009, amadis wrote: I usually think of myself as pretty capable with a computer but Spamassassin and it's website have made me think twice. I took me 20 minutes just to figure out where this forum was. I feel like Apache is trying to weed out dunderheads like me from using their product. I swear I cannot understand 80% of what is written on the how to install page. I've spent three hours now trying to install this program and cannot imagine that this was written for anyone but a computer programmer. I've searched the internet for help elsewhere and every conversation sounds like a foreign language. How is this user-friendly? I'd really like to support OpenSource but I swear if someone doesn't show me a SIMPLE way to work this, I'm dumping SA and Thunderbird and going back to Outlook.
Re: Pulling my hair out
At 04:42 PM 10/19/2009, you wrote: Threats like that never help, and rarely yield any useful responses. I love the people who make threats for free software. If you don't fix this, I'm switching to competitor For one, you get more bees with honey Second, you're threatening to take away essentially non existent business. Kind of like a place that gives away free vanilla ice cream. You go in there and rudely demand they start giving away free chocolate ice cream, or you'll stop going there. From the OP: Sent from the SpamAssassin - Users mailing list archive at Nabble.com. *sigh* I bet you're right on the End User running Windows guess. :)
Re: Pulling my hair out
On Mon, 2009-10-19 at 16:50 -0700, Adriene Harrison wrote: SA is only for mail servers?! I wish that had been made clear on the SA website. Even now looking at the homepage and FAQ page I see nothing to that effect. But thank you all who responded for clearing As I said, server-side filtering is the intended use -- but, yes, it does work client-side, too. Granted, helps a great lot, if your mail client provides integration glue. And of course, if you're running e.g. Linux, where installing SA usually is a breeze. But I digress... this up. I was beginning to think I must have taken a stupid pill when I woke up this morning. I inferred from Thunderbirds settings trust junk mail headers set by SA to mean I needed SA. Apparently This means what the words say -- *trust* the headers, usually injected somewhere server-side, to have the client act upon it, if there are no dedicated spam folders on the server, for example. Trust is key here, because anyone in the chain could have added these headers, and it makes sense only, if you know you *are* running SA on your server, nearby. That setting won't work as you hoped for anyway. It doesn't call SA. not. Not very clear on their part. Thanks to everyone who replied so quickly. Another related note: While I do know (from various experiences), that running SA server-side is much superior to running any light-weight client spam filter -- SA uses too much resources (most of all pure time), to be really useful client-side with any substantial amount of spam or ham messages to scan. In such a case, if server-side is not an option, I'd recommend to try some client filters first. Like the Thunderbird built-in one... -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Pulling my hair out
On Monday 19 October 2009, Ted Mittelstaedt wrote: amadis wrote: I usually think of myself as pretty capable with a computer but Spamassassin and it's website have made me think twice. I took me 20 minutes just to figure out where this forum was. I feel like Apache is trying to weed out dunderheads like me from using their product. I swear I cannot understand 80% of what is written on the how to install page. I've spent three hours now trying to install this program and cannot imagine that this was written for anyone but a computer programmer. I've searched the internet for help elsewhere and every conversation sounds like a foreign language. How is this user-friendly? I'd really like to support OpenSource but I swear if someone doesn't show me a SIMPLE way to work this, I'm dumping SA and Thunderbird and going back to Outlook. Are you running a mail server? SpamAssassin is a tool intended to be used by people who build mailservers that are used at ISPs and companies. It's not intended to be used by end-users for a single mailbox - although if you had the right kind of account at an ISP you could do that - most people would not. I wonder where that got started? I have experience with 5 ISP's over the years, and currently have accounts with two majors plus the tv station where I was the CE for almost 20 years, now retired. I have never been refused access via a pop3 fetcher such as fetchmail by any of them as long as my scripts had the passwd and crypt protocols set correctly. I pop all 3 of them every 90 seconds on a dsl circuit. Fetchmail hands it off to procmail, procmail then /dev/nulls the known spammers, then hands it of to SA, and anything coming back with more than 4 stars again gets sent to /dev/null. It hands the rest to kmail, which sorts it into folders and hands it to me. As near total hands off once configured as it can be. I would submit that the innate fear of a text editor to be used to configure this stuff is a much larger reason a lot of people use a webmailer at their ISP. The question then is how do we convince them its ok to set options in a text file instead of a web page controlled by the ISP, where you have to click past 3 web spams per message before you can actually see the message? If you want to use SpamAssassin I would suggest you find an ISP in your area that provides mailboxes that are scanned by SpamAssassin. And by the way, Thunderbird has nothing to do with SpamAssassin, and people can access SpamAssassin-protected mailboxes just fine with Outlook. Ted -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) The NRA is offering FREE Associate memberships to anyone who wants them. https://www.nrahq.org/nrabonus/accept-membership.asp The fortune program is supported, in part, by user contributions and by a major grant from the National Endowment for the Inanities.