On Fri, 19 Jun 2009, Chip M. wrote:
3. use a country of origin/route plugin
#3 is somewhat controversial, and if implemented must be done
VERY carefully.
I've been looking into country-based IP blocking and it seems to boil down
to two choices:
1) A Spamassassin Plugin named 'relaycountry',
On Thu, 18 Jun 2009, Michael Scheidell wrote:
What are you seeing? more main-sleaze spam, directly targeting your
company/vertical market or clients? or aren't you seeing much of this?
We aren't overwhelmed with it, but now that you mention it, I've been
seeing a slow steady trickle of
On Tue, 16 Jun 2009, RW wrote:
On Tue, 16 Jun 2009 12:03:43 -0500
Andy Dorman ador...@ironicdesign.com wrote:
##{ FS_TEEN_BAD
header FS_TEEN_BADSubject =~
On Tue, 16 Jun 2009, McDonald, Dan wrote:
Two 'p's in 'whipping'. One 'x' in 'sexy' :)
I've seen sexxxy as well
(BIG LOUD LAUGH)
(clutches head in pain) No! Not obfuscation checking code! No! Please make
it stop! Make it stop! The pain! I can't take it!
You are, of course,
On Tue, 16 Jun 2009, Andy Dorman wrote:
##{ FS_TEEN_BAD
header FS_TEEN_BAD Subject =~
/\b(?:teen(?:s|z)?|girl(?:s|z)?|boy(?:s|z)?|jailbait|lolita(?:s|z)?)
.*\b(?:pussy|sex(?:x{0,3}y|ual)?|slut(?:s|ty)?|
ass(?:es|fuck(?:ing|ed)?|whip(?:ping|ped)?|
On Sat, 13 Jun 2009, MySQL Student wrote:
Received: from [78.97.185.89] (unknown
[78.97.185.89])
Message-ID:
krszdjkabfqdkcf.iodbkvqhqtyymyw83588989...@[78.97.185.89]
Do they all have message ID's that include the IP?
Yeah, great, it looks like
Got a usage question. Is there a simple mechanism, similar to Perl's use
of parantheses and $1 to 'capture' a value in one rule and USE that
captured value in the next rule?
For example:
To: Bob re...@wherever
Followed by one of
Subject: hello Bob
Subject: hello re...@whatever
So I would
On Sun, 14 Jun 2009, John Hardin wrote:
header MSGIDIP Message-Id =~ /\...@\[[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+\]/
Refine that just a tiny bit:
header MSGIDIP Message-Id =~
/\...@\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\]/
LOL! Busted! I was being lazy!
- C
On Sun, 14 Jun 2009, Arvid Picciani wrote:
I recently got a lot of crashes, any idea how I could find out why?
My mail log doesn't contain anything suspicious.
In the absence of evidence/logs, ask yourself 'what changed'? Did you add
anything new to your system around the time this started
On Mon, 15 Jun 2009, Res wrote:
On Sat, 13 Jun 2009, Charles Gregory wrote:
On Sun, 14 Jun 2009, Res wrote:
Though now its Sunday, I have socialising to do, and none of that
includes sitting on mailing lists listening to cry babies who expect
people involved in OSSP's to drop
On Sat, 13 Jun 2009, Res wrote:
my life comes before no-life whinging fucking cry baby lamers like
you.
I'm always amused by the hyporcrisy of people who spend paragraphs of text
explaining that the person they are addressing is 'not worth their time'.
- C
On Sun, 14 Jun 2009, Res wrote:
Though now its Sunday, I have socialising to do, and none of that includes
sitting on mailing lists listening to cry babies who expect people involved
in OSSP's to drop everything and be their servants.
So we'll just all pretend you didn't send this
On Sat, 13 Jun 2009, MySQL Student wrote:
Received: from [78.97.185.89] (unknown [78.97.185.89])
Message-ID: krszdjkabfqdkcf.iodbkvqhqtyymyw83588989...@[78.97.185.89]
Do they all have message ID's that include the IP? You could score that
0.3 or so to help push it over the line. Also give a
maybe i lean towards if you are not smart enough to find
the headers you shouldn't have subscribed in the first place.
Actually, it's worse than that. In order to FIND the list and the
link/insruction to subscribe to it, you go to the website, and the two
links for subscribing and
On Fri, 12 Jun 2009, LuKreme wrote:
So if I may recommend: Why not include the patch as a separate file in your
download,
John explained why. This patch does not represent the direction he
wants to go with Botnet. Remember that comment about design philosophy?
When he GOES in that direction,
Hallo!
I've noticed a few rules now that seem to score *very* low.
For example: DYN_RDNS_AND_INLINE_IMAGE=0.001
Are these rules 'in development' and therefore not being assigned a
significant score as of yet? Or, more interestingly, do they represent an
'optional' set of rules that can be
On Thu, 11 Jun 2009, Arvid Picciani wrote:
the amount of backscatter is getting out of control. I fear our MRA might
soon explode. I don't think this is noise anymore.
How many accounts are we talking about here?
If it is just one or two addresses, and the user(s) being 'spoofed' have
Hello all!
If I may weigh in on this botnet/dns issue
1) John I completely respect (indeed advocate) the right of volunteers to
do as they wish with their time. In all that I say that follows, I keep
that first in mind. I speak of principles, but make NO demands on your
time.
2) I
On Tue, 9 Jun 2009, Matus UHLAR - fantomas wrote:
I believe his request for stats is a polite way of disagreeing with your
statement that bots 'often' use Outlook SMTP Auth.
OK, to be more accurate: times change, and maybe currently it's not that
common to use outlook's (or whatever's) engine
On Mon, 8 Jun 2009, ktn wrote:
I am also starting to get a lot of these .rtf attachment only with no
email body text spams. Unfortunately, we use hostmonster.com for our
email so my ability to customize SA is greatly limited (i.e. I cannot
use custom rules).
Do you mean that they won't
On 08.06.09 12:21, Karsten Bräckelmann wrote:
By authenticated users? So that's no bot spam, and the user spams
deliberately and consciously...
On Mon, 2009-06-08 at 14:01 +0200, Matus UHLAR - fantomas wrote:
says who? Afaik spamware often uses outlook's SMTP engine, so it's
quite common for
On Sat, 6 Jun 2009, Don Ireland wrote:
P.S. What I'm looking to do is check it for spam BEFORE sending the
message.
I find that this kind of 'form spam' is best handled by a couple of simple
'tricks' within the form and the cgi that processes it:
1) Include a 'hidden' field (using the
On Fri, 5 Jun 2009, Jeremy Morton wrote:
I've suddenly started getting a new slew of spams that are making their way
through my SpamAssassin filter. Here's an example of one:
http://pastebin.com/m586e296c
These are examples of the new variant on 'image only' spams, having only a
rtf file
Good morning!
Seeing some messages come through with large amounts of bayes poison text
inserted between style /style tags.
Short of using a 'rawbody' test, is there some other characteristic that
we could catch?
For example, and another question:
Is there any mechanism in SpamAssassin to
Just to be sure that I'm thinking the right way about the 'no text body
part' rule: If someone sends a 'normal' message, but elects to not type
any text into the body, there *will* still be a mime 'text' section, and
it will just be empty, right? So the 'no text body' would mean that the
On Tue, 2 Jun 2009, Rich Shepard wrote:
This morning not only was the mail log report and logwatch report falsely
flagged as spam, but so were several messages posted to the google group
mail list for an application I use. What is interesting to me is that every
one had a +2.5 score for
On Tue, 2 Jun 2009, John Hardin wrote:
Well, any tool that's composing MIME messages can choose to omit a text
body part if no text is available... (snip)
In practice, we're only seeing it in spams. There may be false positives in
some unusual situations, but it's not likely with legitimate
On Mon, 1 Jun 2009, Rich Shepard wrote:
messages that have not before been seen as spam by SA. Specifically, the
daily postfix mail log summary report and the daily logwatch report are
marked at spam;
Well, firstly, examine the mail full headers. There should be an
X-Spam-Status header listing
On Mon, 1 Jun 2009, Rich Shepard wrote:
* 2.5 EMPTY_BODY BODY: Message has subject but no body
There is certainly body content in the message; it's not empty so I don't
understand the 2.5 on that third test. I also don't know where the 3.5 on
the second test arises.
Just to be
First guess, look at the procmail code that 'chooses' to run spamassassin.
Have you used an 'h' where you meant to use an 'H', thereby feeding *only*
the header to spamassassin?
## Call SpamAssassin
: 0fw: spamassassin.lock
* 256000
| spamassassin
Is there anywhere in the procmail
Excuse if threading breaks, but I have to copy and paste from the
archives. I'm not getting deliveries from the list (due to a bounce
somehow disabling deliveries). Currently contacting list owner to
resolve this odd issue. Well, at least I can still post :)
mouss mo...@ml.netoyen.net
Hello!
Quick question: Does Spamassassin's RCVD tests also check headers
labelled X-Originating-IP?
In particular, I received the below message from hotmail with hits
on RCVD_IN_BL_SPAMCOP_NET and RCVD_IN_SORBS_WEB. Neither of the
hotmail IP's is found in *any* RBL listed at mailabuse.org's
On Wed, 20 May 2009, Karsten Bräckelmann wrote:
The ok_locales setting defaults to all, effectively disabling all
CHARSET_FARAWAY rules. It is intended to be set voluntarily to charsets
you cannot even decipher, let alone read.
Now that I think about it, I would be much happier with a setting
On Fri, 15 May 2009, Jeremy Morton wrote:
OK, didn't take long to get such an example. :-)
http://rafb.net/p/rqOjCJ11.html
The only time I've ever seen anything like this was on my old SA 2.x
when it didn't properly handle 'quoted printable' and stuff like that.
The problem is, by the time
On Fri, 15 May 2009, Mike Cardwell wrote:
For example, during SMTP. If the connecting client sends:
MAIL FROM: u...@example.com ...
That is a *high* indicator that the email is going to be spam. I haven't
found a real mail server that adds that whitespace it's self...
I have. I get
On Thu, 14 May 2009, Jeremy Morton wrote:
I've been getting joe-jobbed a LOT recently, to the point where bouncebacks
are more of a problem for me than spam now.
Depending on how many different addresses are getting joe-jobbed,
there is a simple practical test:
When *you* send mail, the from
On Wed, 13 May 2009, Henrik K wrote:
Still no description of how an address is chosen for inclusion in
the RBL blacklist itself.
Still wouldn't mind knowing this, unless you fear it would sharing a
secret with spammers that they could use to get around this test...
First we should test if
On Tue, 12 May 2009, Marc Perkel wrote:
Here's how you do it in Exim
your idea is a has a MASSIVE drawback.
It queries the mailbl for EVERY address...
That's not the whole code that I'm using. I'm just demonstrating the
concept of how you would make it usable from Exim. I have a lot of
I haven't been following the long thread about this plugin.
When I followed the links and examined the code/docs, I
found that I really didn't have a sense of WHAT this plugin
does.
At first I thought it was checking for spam 'reply' e-mail addresses
within the body of an e-mail (the often
On Tue, 12 May 2009, Yet Another Ninja wrote:
Oh.. you must have skipped the first 52 lines of EmailBL.pm
No I can *now* see the two lines that say where the module gathers
addresses from. If they were there before, my apologies. But I read that
section of the module pretty closely.
On Wed, 13 May 2009, Kate Kleinschafer wrote:
when I run it as postfix (user that runs spamassassin)
So all the same apart from FuzzyOCR
I am unsure now how to find out why it is behaving this way.
Check for execute group permissions on the FuzzyOCR modules, make sure
they are in a group of
On Wed, 13 May 2009, Lists wrote:
Do you mean in /etc/mail/spamassassin/FuzzyOcr?
I'm not familiar with the module in particular, but that
behaviour - runnable as one user (or root) but not another - is nearly
always some sort of permission issue. So if the permissions in the
directory look
On Fri, 8 May 2009, Mark wrote:
Headers are part of the DATA stream. Hence, at the time a connecting
server is awaiting your 354 Start Input reply to their DATA
command
My apologies. I have misled with the phrase 'data command'.
I was referring to the response that the sending server
On Fri, 8 May 2009, John Hardin wrote:
I suspect the sender is timing out waiting for the 250 OK after
sending the message, hence my (humorous) 100 Please hold...
suggestion. (Jeeze, SM, lighten up!)
(nod) I should not have said data command. Apologies again.
And I can see a busy list server
On Fri, 8 May 2009, Mark wrote:
Okay, working from the idea that indeed the connecting client is timing
out waiting for the 250 OK after sending the message, I would think
DNS lookups are the most costly, time-wise. So, I would examine the RBL
lookups first: it only takes the presence of one
On Fri, 8 May 2009, John Hardin wrote:
... my SMTP front end (Mail Avenger) has a bug that
prevents me from properly using 'spamc'
You can probably work around it, though, by playing some PATH games and
getting Mail Avenger to see a shell script named spamassassin (that
actually runs
Sweet! I was trying to puzzle my way around the logic but couldn't figure
this one out. Pretty simple once I see it. THANKS!
- Charles
On Thu, 7 May 2009, John Hardin wrote:
Okay, the spammers finally started sending these to me, and they are pretty
distictive. Try this:
header
On Thu, 7 May 2009, John Hardin wrote:
Thank me if it works... :)
Just fired one of my latest image spams through it and it triggered fine.
So until the spammers adapt... THANKS! :)
- Charles
Hallo!
Just wanted to throw in an observation on my system's behaviour with
spamassassin 'overloaded' Not really a complaint, as I know what I
did 'wrong'. But curious about one of the effects
During the recent run of image spams, I tried a couple of different
pieces of code that
On Tue, 5 May 2009, Mark wrote:
Okay, enough with the righteous indignation already.
You know, if people put as much effort into my idea as they have into
'putting me in my place', there could be some really great discussions.
Sigh...
Only several posts ago you had never even heard of
On Wed, 6 May 2009, Mike Cardwell wrote:
I have an idea which involves deleting every third character of your email
to make it route over the Internet faster. What do you think?
People wouldn't respond with, That's a bad idea because x, they'd respond
with Don't be stupid, and That's a crap
On Mon, 4 May 2009, LuKreme wrote:
This is what port 587 is *for*. This is what SASL authentication is *for*.
H. Quick (dumb) question. If I tell my users to click the little check
box in a mail client (Outlook Express or Thunderbird) that says use SMTP
authentication, does it
On Tue, 5 May 2009, Matus UHLAR - fantomas wrote:
On 04.05.09 16:43, Charles Gregory wrote:
Strictly speaking, getting them to use it consistently and properly will
be MORE difficult,
more difficult than what? More difficult than discussing it here or more
difficult than implementing PSPF
Just a quick question:
I'm noticing that these 'png' spams don't have a text section, or any
message body text, and yet my SA does not trigger on any 'message does not
contain text' rules? I've seen rules trigger when messages are a high
percentage of image versus text, but why no hits when
On Tue, 5 May 2009, Mike Cardwell wrote:
For what it's worth I also think this personal SPF concept is a terrible
idea with zero chance of taking off. And I actually *like* normal SPF.
Well, it would be nice if you offered some reasons *why* you feel this
way. I said up front that I had a
On Tue, 5 May 2009, Jonas Eckerman wrote:
On 04.05.09 10:31, Charles Gregory wrote:
OUR mail server *requires* that a user be connected via our dialups.
Configuring the mail account in their MUA independently on their internet
connection is much easier than changing SMTP server every time
This really is an important point. Your current system makes things
unnecessarily difficult for roadwarriors.
Another poster offers a good supporting reason to use 587 in MUA
(regardless of PSPF).
On 05.05.09 10:48, Charles Gregory wrote:
Roadwarriors (cute term, BTW) form a very small
On Tue, 5 May 2009, Matus UHLAR - fantomas wrote:
Defining personalised SPF would cause much more work and troubles for
users. Yes, apparently not for you.
Everything is more work. Question is, would it be WORTH it?
Many people responded this thread saying it's bad idea.
To date, not
On Tue, 5 May 2009, LuKreme wrote:
For what it's worth I also think this personal SPF concept is a terrible
idea with zero chance of taking off. And I actually *like* normal SPF.
Well, it would be nice if you offered some reasons *why* you feel this way.
I did in the portion of the message
OT : Apologies if I miss any replies to my posts. But they are getting
lost in a pile of repeats
For some reason I am getting many multiple copies of all the
posts from this mailing list. If the list admin is listening in,
would he/she be kind enough to check SMTP logs for connections to
Footnote: Just had one of my users report the same problem on another
list. So my suspicion that this is on *my* server seems well-founded...
On Tue, 5 May 2009, Charles Gregory wrote:
OT : Apologies if I miss any replies to my posts. But they are getting lost
in a pile of repeats
On Mon, 4 May 2009, John Hardin wrote:
Try wiping his AWL entry.
We can do that? What tool would I use?
- Charles
On Mon, 4 May 2009, Matus UHLAR - fantomas wrote:
On 30.04.09 14:24, Charles Gregory wrote:
Proposal: Personal SPF - A DNS-based lookup system to allow individual
sender's of e-mail to publish a *personal* SPF record within the context
of their domain's SPF records, that would identify an IP
On Mon, 4 May 2009, Matus UHLAR - fantomas wrote:
OUR mail server *requires* that a user be connected via our dialups.
what do you mean? Users connected by your dialups can only be connected to
your mail server?
Yes, but also that the user must be connected to our dialup to gain
'relay'
On Mon, 4 May 2009, Karsten Bräckelmann wrote:
We can do that? What tool would I use?
See the spamassassin options with whitelist in the name, particularly
--remove-addr-from-whitelist.
Okay, maybe I'm misunderstanding. I was under the impression that
spamassassin had TWO 'whitelists'. One
Thanks for the replies. All is now clear. Though I would (politely)
request this be clarified in the entries in the docs. Thanks!
- Charles
On Mon, 4 May 2009, Karsten Bräckelmann wrote:
On Mon, 2009-05-04 at 12:16 -0400, Charles Gregory wrote:
On Mon, 4 May 2009, Karsten Bräckelmann wrote
Hallo!
I run a mail server for exampleALPHA.tld, and that same box also
happens to run as a 'tertiary' DNS server for exampleBETA.tld
There is no direct relationship between alpha and beta, other than that
our two organizations made an arrangement to act as fallback DNS for
each other. We do
On Mon, 4 May 2009, Jonas Eckerman wrote:
Why do you think it would be easier to get those of your users that send
through other servers to publish a personal SPF record with correct
information about the external IP address of the outgoing relay they use than
it would be to get then to use
On Mon, 4 May 2009, Michael Scheidell wrote:
No, actually, 'exampleBETA.tld' is invalid.
(hint: without real domain names, no one can help you)
I believe my descriptions are sufficiently precise that knowing the actual
domain names is irrelevant. However, you may substitute 'hwcn.org' for
On Sun, 26 Apr 2009, Theo Van Dinter wrote:
It's already been mentioned, but mimeheader is the right way to look
at the headers of MIME parts.
Look more closely at my rule. It is checking for TWO headers,
one after the other (separated by \n), identifying a gif with no name.
full
On Thu, 30 Apr 2009, LuKreme wrote:
No, the senders AWL HURTS new spam. If the score is -2 from the AWL
then -2 * -0.2 = 0.4
Ah. Missed the negative. Then this particular piece of the logic is good.
The odds of any AWL(perIP) other than the legit sender having a negative
average are
Uh, what do these 'ratware' rules trigger on?
How effective are they, and what are the chances of false positives?
- Charles
On Thu, 30 Apr 2009, LuKreme wrote:
(single lines)
header KB_RATWARE_OUTLOOK_16 ALL =~ /^Message-Id:
On Thu, 30 Apr 2009, LuKreme wrote:
A tip: the PNG takes up considerably more disk space (and thus
loading time) and you're not increasing any quality (since it was
originally lossy).
Actually, the PNGs load considerably faster for me as desktop images,
which is why I convert them.
I agree
On Wed, 29 Apr 2009, LuKreme wrote:
On 29-Apr-2009, at 15:31, Charles Gregory wrote:
Apologies for original brevity, but my comment was a criticism of the
proposal to start weighing *all* mail from a specific sender according to
whether the IP was the 'most common' used for that address
On Thu, 30 Apr 2009, John Wilcock wrote:
mimeheader DSL4DIG_PNG Content-Type =~ /name\=\DSL[0-9]{4}\.png\/
Looks like they've changed from DSL to DSC! I have a few with DSC in
today's quarantine, but they were caught by BOTNET rules. Methinks its
time to update the above rule to look for
On Thu, 30 Apr 2009, LuKreme wrote:
First off, I suppose that if you get real mail from someone who has only
ever been seen as a spam sender, then yes, the first mail would be
penalized. But is this ever the case?
(nod) Any time someone's address has been used as a spoofed sender before
Hello!
Wild idea time: I won't be surprised if this is shot down...
Proposal: Personal SPF - A DNS-based lookup system to allow individual
sender's of e-mail to publish a *personal* SPF record within the context
of their domain's SPF records, that would identify an IP or range of IP's
which
On Thu, 30 Apr 2009, LuKreme wrote:
mimeheader DSL4DIG_PNG Content-Type =~ /name\=\DSL[0-9]{4}\.png\/
I'd be very careful with that rule (or any related). This file name
pattern is a quite standard pattern for pictures from digital cameras.
But digital cameras generally produce jpg, not
I just turned off my AWL today, because of FP issues but
f...@example.com sends me lots of mail. Say it's over 100. It's all ham and
it all comes from mail.example.com. The AWL for this email couplet is , say
-2.1. An email comes in from f...@example.com but sent from
On Wed, 29 Apr 2009, Jeff Mincy wrote:
*someone* is getting their AWL reputation trashed every time a
spammer forges their e-mail.
AWL stores the IP/16 address with the email address. So your awl
reputation is not being trashed by forged e-mail that comes from a
different IP address.
On Sat, 25 Apr 2009, Gary Forrest wrote:
We are receiving the same image spam many times, random text within the
body. The only common thing is a image attachment, with the filename in
the following format
DSL1234.png
I have made the following ' RAWBODY ' rule
/dsl[0-9]{4}\.png/i
You need
On Fri, 24 Apr 2009, Igor Chudov wrote:
The sales message is contained in a PNG image
http://igor.chudov.com/tmp/spam008.txt
Any ides what I can do?
I've been scoring the attachment name pattern with a 'full' test.
But this will only work until they figure ways to randomize
the
On Fri, 24 Apr 2009, Adam Katz wrote:
I read recently that that's a Bad Thing (and I'm leaning on agreeing):
http://www.backscatterer.org/?target=sendercallouts
The most compelling argument on that site is one that almost slips by
un-noticed. A spammer could very well forge a honeypot as a
Hallo!
Just curious if anyone has ever found a 'clean' way to handle the 'damage'
done to the AWL when someone's mail is blocked by a false positive, and
the sender is stupid enough to keep retrying the offending mail?
I would rather not turn off AWL. I like the way it gives a negative score
Greetings!
It will take a few days for me to get the 'flow' of this list, and the
sense of any threads already in progress. So I apologize if my query
has been recently discussed/resolved. Do we have a searchable archive
somewhere on the web?
First the good news: I got rid of my horrible old
301 - 385 of 385 matches
Mail list logo
