Re: [sa] Re: emailreg.org - tainted white list
On Thu, 17 Dec 2009, Yet Another Ninja wrote: On 12/16/2009 6:16 PM, Charles Gregory wrote: On Wed, 16 Dec 2009, Yet Another Ninja wrote: blabber... checkout SVN - follow dev list... HABEAS is history... I believe the *point* here is that HABEAS is NOT 'history' for ordinary systems running ordinary sa-update on 3.2.5. they can adjust scores if they don't approve of what has been delivered... Agreed. But that does not make the statement HABEAS is history accurate in any way that is relevant to current sa-update.. My rules (in /var/lib/spamassassin) still include the strong negative scores for HABEAS, as discussed here. funny.. my rules show a 0 score for HABEAS stuff, same with all the other certification services oh wait!! I adjusted the scores myself coz I didn't want them in my way. Why don't you go one step further and just 'unsubscribe' from any spam you receive? If you want the ultimate in responsive after-the-spam-has-arrived customization, that's the way to go ;) Oh. Sorry. Someimes the sarcasm gets away from me. We are discussing the DEFAULT rules. The only way someone can tell me that HABEAS is history and have it apply to ME is if they have propogated a change through sa-update. They haven't. Your customizatino sounds a lot like mine. But just because you and I have solved our problems for *us* personally does not mean we can just forget about everyone else. You're a Ninja, judging by your From header. You *must* be in this to improve things for everyone. I'm certainly not posting here just to hear myself talk. I can customize my server far faster (it's actually a daily routine) than I can type suggestions here. But I want this to work for everyone. And everyone is not on this list. So changing SA defaults is the best way to help everyone. I don't have the 'budget' to just jump in and help code, so I make suggestions, with (I hope) the appropriate tone of respect for the people who *do* have the 'budget' to be working on improving SA. But this is NOT me whining about *my* problems. I don't have a problem with HABEAS. I occasionally notice their rule fire, but usually something else knocks out the spam anyways (shrug) - C
RE: [sa] RE: emailreg.org - tainted white list
Still doesn't answer my question. Perhaps I'm dense. But to spell out my question more explicitly: what do you mean by personal response spam? Is that just Richard's on-list responses we've all seen? Or something else? (did I miss that part of the conversation?). And what do you mean by to this account? To this list? To your own inbox? Are you referring to messages that are obviously from Richard (including alter-ego ones)? Or some kind of UBE campaign that you think he is behind? (if so, please describe) Still confused. -- Rob McEwen Rob, dont be confused, she missed a comma in that line was all... btw, we are still waiting on the hearsay secret squirrel info... - rh
Re: [sa] RE: emailreg.org - tainted white list
On Mon, 2009-12-14 at 23:07 +0100, Yet Another Ninja wrote: On 12/14/2009 10:55 PM, Daniel J McDonald wrote: I'd love to have the clamav unofficial signature families scored. I have a fine guess as to how relevant they are, but it is just that - a guess. someone, somewhere is alreay converting ClamV signatures to HUGE (slow) rule files, forgot where I saw them. Google around... That's not the issue. I have no problem scanning with clam and no problem associating some signature families with scores rather than blindly discarding. The issue is: how much should I trust the various sets of signatures? Although I have a fairly good feel for it based on intuition, there is nothing like a mass-check to settle the matter. That's the issue with pulling all of the whitelists out of the scoring mix - the whitelist components are part of the mix that allows 5 points to indicate spam. And I was trying to counter the argument that we should simply rip those pieces out and expect that, when people re-assemble them piecemeal, the end result will still be 5 points for spam... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com
Re: [sa] RE: emailreg.org - tainted white list
On Tue, 2009-12-15 at 07:29 -0600, Daniel J McDonald wrote: That's the issue with pulling all of the whitelists out of the scoring mix - the whitelist components are part of the mix that allows 5 points to indicate spam. And I was trying to counter the argument that we should simply rip those pieces out and expect that, when people re-assemble them piecemeal, the end result will still be 5 points for spam... Clarification: I, for one, was only proposing that the whitelisting plugins and rules that query external databases are removed from the standard ruleset and sa_update and placed in a separate library of optional rules. My reasons for making this suggestion are: - all URIBL tests can be disabled with skip_rbl_checks. All whitelist/blacklist rules should be controlled by this preference, hence it should already be possible to disable them without impacting any other standard rule. - they can safely be excluded from sa_update since the rule(s) and plugin will not change during the life of an SA version. Apart from bugfixes all changes[*] that affect message scoring are applied to the external database by its maintainer. - the act of separating these rules from the main rule corpus makes it clear to SA admins that they are optional. It also has the side-effect of removing their maintenance workload from SA devs. [*] apart from score adjustment, obviously. Martin
Re: [sa] RE: emailreg.org - tainted white list
On Tue, 15 Dec 2009, Martin Gregorie wrote: Clarification: I, for one, was only proposing that the whitelisting plugins and rules that query external databases are removed from the standard ruleset and sa_update and placed in a separate library of optional rules. The 'issue' (as I see it) is that a great many servers install a 'standard' SA 'package', quite possibly just the one that came as a 'supported' version with their OS distro. So it is important to not simply exclude from that 'core' SA install anything that is contentious, but to make the best possible assessment of all rules, including whitelist rules, which will have the best chances of catching spam with few FP's. Once we reach the level of a competent (sic) sysadmin reviewing the default configuratino and modifying it, it matters very little whether the rules are in the core set or added-on. In some ways it is still easier to have a rule included by default that can then be disabled if it proves to have poor results. So although the 'modular' concept is always a good one, it does not allow us to sidestep that burden of responsiblity to have the core default SA be the best that it can be. :) - Charles
Re: [sa] RE: emailreg.org - tainted white list
From: Charles Gregory cgreg...@hwcn.org Sent: Monday, 2009/December/14 12:35 On Tue, 15 Dec 2009, Michael Hutchinson wrote: If everyone could ignore the taunting, and just carry on, there wouldn't be an issue. The taunting *is* the issue. The rest of the arguments, about design and defaults, are carried on by numerous individuals in a quite civilized manner. But when someone starts throwing arond stupid accusations, then the person attacked focuses their efforts on 'defending' themselves, rather than on a fair unbiased review of what *should* be the 'issue'. Three points: 1) It is known this list is read by spammers to learn what we are doing. I've verified this with challenge/response tactics including taunting more than once. Once I taunted a spam I received for not making it to 100. The guy didn't try hard enough. Within two days a small number of spams reaching well over 100 came through. I consider that as confirmation of common-sense. Spammers read this list. 2) On several occasions now Richard has tried to torpedo valid attempts to scuttle spam. (I've STILL not seen a spam get through that has the HABEAS tag. I am lower volume than you guys. So that's simply my own verification of other people's data sets indicating HABEAS has a very low but not zero false alarm rate.) I see this effort as something of high profit to spammers. So it seemed rational to remind people that this list is basically anonymous, spammers read it and can post just as can non-spammers. 3) Coincidence or not, since I posted that taunt to Richard and his response personal spam to this account has increased sharply. I am making no conclusion here. I'm presenting facts. Call me out on the facts not the taunt lest you damage your argument. It is possible to claim coincidence on 1 and 3. I suspect that's a low probability coincidence. It is possible, though, particularly for 3. Spam does seem to come in waves. And I haven't particularly noticed any newly prominent type of spam yet, which is a good indicator of spam from one master source. (Item 1 was a well known drug spammer who had a very well established pattern and sat on the ROKSO top ten. His response was amusing, probably for him as much as for me. I respect his abilities as I deplore his ethics and morals.) {^_^}
Re: [sa] RE: emailreg.org - tainted white list
jdow wrote: his response personal spam to this account has increased sharply Uuh, what does that mean, exactly? -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
Re: [sa] RE: emailreg.org - tainted white list
On Tue, 15 Dec 2009 11:01:51 -0800 jdow j...@earthlink.net wrote: From: Charles Gregory cgreg...@hwcn.org Sent: Monday, 2009/December/14 12:35 On Tue, 15 Dec 2009, Michael Hutchinson wrote: If everyone could ignore the taunting, and just carry on, there wouldn't be an issue. The taunting *is* the issue. The rest of the arguments, about design and defaults, are carried on by numerous individuals in a quite civilized manner. But when someone starts throwing arond stupid accusations, then the person attacked focuses their efforts on 'defending' themselves, rather than on a fair unbiased review of what *should* be the 'issue'. Three points: 1) It is known this list is read by spammers to learn what we are doing. I've verified this with challenge/response tactics including taunting more than once. Once I taunted a spam I received for not making it to 100. The guy didn't try hard enough. Within two days a small number of spams reaching well over 100 came through. I consider that as confirmation of common-sense. Spammers read this list. In the same way spammers own Barracuda's, Ironports, have Messagelabs and Postini accounts etc etc. This is kinda obvious, but I guess some people may not know it. I too see a big increase in spam from this posting to this list. I, however, welcome it as is useful to study. 2) On several occasions now Richard has tried to torpedo valid attempts to scuttle spam. That is a lie. Would you like to back that up with some kind of basis in fact? Richard has been at the other end of this claim in asking *why* obvious spam gets past SA, and why Whitelists that 'grease the wheels' are part of the default core. 3) Coincidence or not, since I posted that taunt to Richard and his response personal spam to this account has increased sharply. If it were a taunt I'm sure Richard would find that very lame. You only have to look at his NANAE postings to realise that calling him a 'spammer' would not even register on his insult scale. If you think it would, you are probably very mistaken. I am making no conclusion here. I'm presenting facts. Call me out on the facts not the taunt lest you damage your argument. You have presented an opinion, not facts. A fact would be 'Datetheuk' emits spam - but is Habeas whitelisted. The Titanic has sunk - is a fact, Marc Bolan is dead - is a fact. Perhaps are some kind of spammer trying to divert attention from yourself? -- This e-mail and any attachments may form pure opinion and may not have any factual foundation. Please check any details provided to satisfy yourself as to suitability or accuracy of any information provided. Data Protection: Unless otherwise requested we may pass the information you have provided to other partner organisations.
Re: [sa] RE: emailreg.org - tainted white list
From: Rob McEwen r...@invaluement.com Sent: Tuesday, 2009/December/15 11:10 jdow wrote: his response personal spam to this account has increased sharply Uuh, what does that mean, exactly? A possible cause and effect exists. I can neither prove nor disprove it. the fact exists. {^_^}
Re: [sa] RE: emailreg.org - tainted white list
From: Christian Brel brel.spamassassin091...@copperproductions.co.uk Sent: Tuesday, 2009/December/15 11:54 On Tue, 15 Dec 2009 11:01:51 -0800 jdow j...@earthlink.net wrote: Perhaps are some kind of spammer trying to divert attention from yourself? Snicker I have longer bona fides on this list than I suspect you do and my partner is a currently inactive SARE ninja who has contributed some effective rules. Ah well. {^_^}
Re: [sa] RE: emailreg.org - tainted white list
jdow wrote: From: Rob McEwen r...@invaluement.com Sent: Tuesday, 2009/December/15 11:10 jdow wrote: his response personal spam to this account has increased sharply Uuh, what does that mean, exactly? A possible cause and effect exists. I can neither prove nor disprove it. the fact exists. Properly known as a correlation. Which, as you say, does not prove cause and effect. The correlation exists. -- --- Chris Hoogendyk - O__ Systems Administrator c/ /'_ --- Biology Geology Departments (*) \(*) -- 140 Morrill Science Center ~~ - University of Massachusetts, Amherst hoogen...@bio.umass.edu --- Erdös 4
Re: [sa] RE: emailreg.org - tainted white list
jdow wrote: jdow wrote: his response personal spam to this account has increased sharply Uuh, what does that mean, exactly? A possible cause and effect exists. I can neither prove nor disprove it. the fact exists. Still doesn't answer my question. Perhaps I'm dense. But to spell out my question more explicitly: what do you mean by personal response spam? Is that just Richard's on-list responses we've all seen? Or something else? (did I miss that part of the conversation?). And what do you mean by to this account? To this list? To your own inbox? Are you referring to messages that are obviously from Richard (including alter-ego ones)? Or some kind of UBE campaign that you think he is behind? (if so, please describe) Still confused. -- Rob McEwen http://dnsbl.invaluement.com/ r...@invaluement.com +1 (478) 475-9032
Re: [sa] RE: emailreg.org - tainted white list
On Tue, 15 Dec 2009, Rob McEwen wrote: jdow wrote: jdow wrote: his response personal spam to this account has increased sharply Uuh, what does that mean, exactly? A possible cause and effect exists. I can neither prove nor disprove it. the fact exists. Still doesn't answer my question. Perhaps I'm dense. But to spell out my question more explicitly: what do you mean by personal response spam? try: his response, personal spam to this account has increased Does that parse better? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Our government should bear in mind the fact that the American Revolution was touched off by the then-current government attempting to confiscate firearms from the people. --- Today: Bill of Rights day
Re: [sa] RE: emailreg.org - tainted white list
From: Rob McEwen r...@invaluement.com Sent: Tuesday, 2009/December/15 13:13 jdow wrote: jdow wrote: his response personal spam to this account has increased sharply Uuh, what does that mean, exactly? A possible cause and effect exists. I can neither prove nor disprove it. the fact exists. Still doesn't answer my question. Perhaps I'm dense. But to spell out my question more explicitly: what do you mean by personal response spam? Is that just Richard's on-list responses we've all seen? Or something else? (did I miss that part of the conversation?). And what do you mean by to this account? To this list? To your own inbox? Are you referring to messages that are obviously from Richard (including alter-ego ones)? Or some kind of UBE campaign that you think he is behind? (if so, please describe) Thank you for spelling it out. I am speaking of spam directed to this account. That email must be to this address or one of three others (which showed no increase) in order to get through to our machines. I use fetchmail for my email and for Loren's several accounts. I can't say if his spam increased dramatically in the last two days ( to 2359:59 PST) or not. I am speaking of generic spam. I've not noticed a specific type that has increased. I'm to lazy to look. I have received an unusual number of You've won emails today and yesterday. I've not looked for a specific style so I left the observation at increase in spam received. That in no way accuses anybody of personally sending me spam. I simply looked at the bulk numbers which took a maybe 20% jump beyond the normal Monday bounce. This correlation is not nearly as strong as with the earlier episode. Given what data and facts I have I am taking anything Richard and his sock puppets, alter-egos, or fellow conspiracy theorists might suggest and pretty much tossing it into the intellectual black hole in which it belongs. And I'm stating that's what I've observed. Now I've stated what I intend to do about it. Others here are adults. They an make up their own minds, generate their own facts, and add them up. I'll add one other thing, I'm not a fan of Habeas; however, I have seen reason to give them a modest negative score low enough it will likely get overridden by a trusted source going rogue. The old Haiku approach was so bad I had a strong positive score on it. That had colored my attitudes - the Aw Sh**! vs Brownie Points issue struck again. {^_^}
Re: [sa] RE: emailreg.org - tainted white list
On Tue, 15 Dec 2009 14:11:13 -0800 jdow j...@earthlink.net wrote: From: Rob McEwen r...@invaluement.com Sent: Tuesday, 2009/December/15 13:13 jdow wrote: jdow wrote: his response personal spam to this account has increased sharply Uuh, what does that mean, exactly? A possible cause and effect exists. I can neither prove nor disprove it. the fact exists. Still doesn't answer my question. Perhaps I'm dense. But to spell out my question more explicitly: what do you mean by personal response spam? Is that just Richard's on-list responses we've all seen? Or something else? (did I miss that part of the conversation?). And what do you mean by to this account? To this list? To your own inbox? Are you referring to messages that are obviously from Richard (including alter-ego ones)? Or some kind of UBE campaign that you think he is behind? (if so, please describe) Thank you for spelling it out. I am speaking of spam directed to this account. That email must be to this address or one of three others (which showed no increase) in order to get through to our machines. I use fetchmail for my email and for Loren's several accounts. I can't say if his spam increased dramatically in the last two days ( to 2359:59 PST) or not. You are now claiming Richard is powerful enough to produce a worldwide increase in spam that only effects you? I am speaking of generic spam. I've not noticed a specific type that has increased. I'm to lazy to look. I have received an unusual number of You've won emails today and yesterday. I've not looked for a specific style so I left the observation at increase in spam received. That in no way accuses anybody of personally sending me spam. I simply looked at the bulk numbers which took a maybe 20% jump beyond the normal Monday bounce. This correlation is not nearly as strong as with the earlier episode. Given what data and facts I have I am taking anything Richard and his sock puppets, alter-egos, or fellow conspiracy theorists might suggest and pretty much tossing it into the intellectual black hole in which it belongs. And I'm stating that's what I've observed. Now I've stated what I intend to do about it. Habeas + Emailreg are *not* spam BLOCKING tools. They are tools that facilitate the delivery of UCE/UBE/SPAM. To point that out is *not* scuffling any attempt to block spam. To the contrary. Are we clear on that or are you ignoring that? All that is required is for Spamassassin to default install with NEUTRAL (0 point) rules for Habeas {or any other p2s whitelist it chooses to include}. The views about Return Path, Habeas, Barracuda, Emailreg.org will fall by the wayside and give the 'product' more credibility if this simple change is made and, in effect, rain on Richard's parade of black helicopters and corruption. There is no *logical* reason not to make this change. There may be a business one (Barracuda have donated to Apache - what about Return Path/Habeas?). Again if you have any *facts* or proof that Richard has been behind a personal worldwide increase in spam to your inbox, please share it. Otherwise you look like you are trolling with your imagination running away with the fairies. -- This e-mail and any attachments may form pure opinion and may not have any factual foundation. Please check any details provided to satisfy yourself as to suitability or accuracy of any information provided. Data Protection: Unless otherwise requested we may pass the information you have provided to other partner organisations.
Re: [sa] RE: emailreg.org - tainted white list
On Tue, 15 Dec 2009, Michael Hutchinson wrote: If everyone could ignore the taunting, and just carry on, there wouldn't be an issue. The taunting *is* the issue. The rest of the arguments, about design and defaults, are carried on by numerous individuals in a quite civilized manner. But when someone starts throwing arond stupid accusations, then the person attacked focuses their efforts on 'defending' themselves, rather than on a fair unbiased review of what *should* be the 'issue'. To make a point requires nothing more than well-established facts. But name-calling and mindless accusations are an ego-driven thing. Once someone invests their arguments with ego, you cannot count on anything they say being accurate to any degree. They will literally say anything to advance their 'cause' and 'win' whatever argument they have joined. Someone has to stir the pot occasionally, and it doesn't hurt to have someone around that makes you think outside the square. Interestingly enough, *I* have stirred this same pot a couple of times, with very little effect. So while it is a reasonable argument that being offensive and abusive fails to achieve results, I have to admit that being quiet and deferring in tone also has little effect. So I wonder, what *does* it take for the 'amateurs' (that would be folks like me! *grin*) to bring a possible issue to the attention of the people in the 'know', and have it discussed? I ask again, on the issue of whitelists, is there a serious issue with spammers targetting white-listed IP's as favored candidates for hacking? I'm okay with the answer being 'no'. I'm sure people with large servers and good statistics could answer this question. But I get no answer at all. I don't think it is because of any conspiracy. But perhaps the people who know are just too busy? - Charles
Re: [sa] RE: emailreg.org - tainted white list
Charles Gregory wrote: I ask again, on the issue of whitelists, is there a serious issue with spammers targetting white-listed IP's as favored candidates for hacking? I'm okay with the answer being 'no'. I'm sure people with large servers and good statistics could answer this question. But I get no answer at all. I don't think it is because of any conspiracy. But perhaps the people who know are just too busy? To my knowledge, such a correlation has not yet been observed. Which is different from asserting that it hasn't happened, but I think for the purposes of your question it does indicate that there is not currently a serious issue as you put it. I can mostly just offer opinion, and that would be that whitelisting is not (yet) in wide enough use to have become a sufficiently attractive target. Bob --
Re: [sa] RE: emailreg.org - tainted white list
On Mon, 14 Dec 2009, Bob O'Brien wrote: I can mostly just offer opinion, and that would be that whitelisting is not (yet) in wide enough use to have become a sufficiently attractive target. Which brings us back to the 'rational version' of the discussion about SA weighing whitelists favorably by default. I'm *presuming* that the whitelists are seen on more ham than spam, but I only *see* the spam, that's the nature of my watchdog role. (smile) I've not heard any further comment on what has happened with that 'datetheuk' spam. Was it accidental? A hack? Mismanagment of the whitelist? The silence is deafening. I'd like to think we're not going to just drop the issue because *someone* unpopular was talking about it... :) - C
Re: [sa] RE: emailreg.org - tainted white list
May I suggest that handling whitelist or blacklist rules and any associated plugins by packaging them as separately installable modules may be of benefit to SA maintainers. The idea is to reduce the SA dev workload by handing off responsibility for maintaining and bugfixing such modules to external developers. These may, as at present, be the person who independently develops the module or the people who are responsible for the resources it queries. Here's a little more detail: - exclude the modules from the default SA configuration and from SA updates. - create a library of downloadable modules, one for each external resource. Each module consists of: - a .cf file and a .pm file, if required, that should be installed by putting both in /etc/mail/spamassassin - version info - installation and configuration instructions - attributions: author, the author's affiliations, etc - a disclaimer saying that SA distributes the module as is and without liability or responsibility for its correctness - anybody, including whitelist owners, can supply a module and will be solely responsible for maintaining it. - modules MUST be accompanied by regression test data in the form of messages that demonstrate hits, misses and corner tests. - SA devs should review the documentation and verify module operation using the supplied test data to show that the module does what it says on the tin and doesn't crash SA or interfere with other rules/plugins before accepting a module for publication. - the modules should be included in regression tests for new SA versions. If a module fails a regression test it is excluded from the library and its author notified. This way unmaintained modules will eventually disappear with minimal work from SA devs apart from removing the model from the distribution library and adding it to a list of no longer supported modules. There may be problems with this approach that I'm not aware of, but I'm floating it because AFAIK nobody else has suggested it and it may defang some of the discussions around whitelists, etc. by making the use of such rules and modules independent of the SA project. Martin
Re: [sa] RE: emailreg.org - tainted white list
On 12/14/2009 10:23 PM, Martin Gregorie wrote: May I suggest that handling whitelist or blacklist rules and any associated plugins by packaging them as separately installable modules may be of benefit to SA maintainers. The idea is to reduce the SA dev workload by handing off responsibility for maintaining and bugfixing such modules to external developers. These may, as at present, be the person who independently develops the module or the people who are responsible for the resources it queries. Here's a little more detail: - exclude the modules from the default SA configuration and from SA updates. - create a library of downloadable modules, one for each external resource. Each module consists of: - a .cf file and a .pm file, if required, that should be installed by putting both in /etc/mail/spamassassin - version info - installation and configuration instructions - attributions: author, the author's affiliations, etc - a disclaimer saying that SA distributes the module as is and without liability or responsibility for its correctness - anybody, including whitelist owners, can supply a module and will be solely responsible for maintaining it. - modules MUST be accompanied by regression test data in the form of messages that demonstrate hits, misses and corner tests. - SA devs should review the documentation and verify module operation using the supplied test data to show that the module does what it says on the tin and doesn't crash SA or interfere with other rules/plugins before accepting a module for publication. - the modules should be included in regression tests for new SA versions. If a module fails a regression test it is excluded from the library and its author notified. This way unmaintained modules will eventually disappear with minimal work from SA devs apart from removing the model from the distribution library and adding it to a list of no longer supported modules. There may be problems with this approach that I'm not aware of, but I'm floating it because AFAIK nobody else has suggested it and it may defang some of the discussions around whitelists, etc. by making the use of such rules and modules independent of the SA project. your modules are all there already and much of it is already managed as you suggest: they're called rules.. you can even switch them on or off, or add your own modules /plugins/modules. SA provides an Open Source FRAMEWORK which caters to many millions of systems - if it doesn't fit your needs, use as you wish and/or fork out. Many do that with the ruleset - many don't SA devs are volunteers. What's stopping you from actively contributing to the development? Get familiar with the Wiki, checkout SVN, look at the masscheck code, bath in the Wiki. Following a comprehensive set of standards, anybody can contribute patches/fixes/etc. h2h Axb
Re: [sa] RE: emailreg.org - tainted white list
On Mon, 2009-12-14 at 21:23 +, Martin Gregorie wrote: May I suggest that handling whitelist or blacklist rules and any associated plugins by packaging them as separately installable modules may be of benefit to SA maintainers. The idea is to reduce the SA dev workload by handing off responsibility for maintaining and bugfixing such modules to external developers. These may, as at present, be the person who independently develops the module or the people who are responsible for the resources it queries. Here's a little more detail: The problem is scoring. masschecks are going to shape scores so that whitelists get a little boost if they are mediocre, and a large boost if they are good. Ditto for blacklists. And they two sets of scores will work in synergy. The big problem with make them all external and let the universe pick a score at random is that the relative effectiveness of the various lists isn't tested. I'd love to have the clamav unofficial signature families scored. I have a fine guess as to how relevant they are, but it is just that - a guess. I'd hate to have to guess for everyone's whitelist... -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com
Re: [sa] RE: emailreg.org - tainted white list
On Mon, 2009-12-14 at 22:39 +0100, Yet Another Ninja wrote: your modules are all there already and much of it is already managed as you suggest: they're called rules.. you can even switch them on or off, or add your own modules /plugins/modules. SA provides an Open Source FRAMEWORK which caters to many millions of systems - if it doesn't fit your needs, use as you wish and/or fork out. Many do that with the ruleset - many don't I'm aware of that, BUT: - there is resource-specific stuff permanently wired in, e.g. the HABEAS rules - there are other rules and modules littered round the net. AFAIK there is no single reference point or code library where stripped-out specifics (HABEAS) or independent code can be placed. SA devs are volunteers. What's stopping you from actively contributing to the development? Time and the fact that I'm a C/Java person rather than a Perl maven. I have a couple of projects on the boil at present, one being mail-related. This has an associated SA plugin and rule that is up and running on my server and will be released as part of the mail-related project. Martin
Re: [sa] RE: emailreg.org - tainted white list
On 12/14/2009 10:55 PM, Daniel J McDonald wrote: I'd love to have the clamav unofficial signature families scored. I have a fine guess as to how relevant they are, but it is just that - a guess. someone, somewhere is alreay converting ClamV signatures to HUGE (slow) rule files, forgot where I saw them. Google around...
RE: [sa] RE: emailreg.org - tainted white list
Hello, The taunting *is* the issue. The rest of the arguments, about design and defaults, are carried on by numerous individuals in a quite civilized manner. But when someone starts throwing arond stupid accusations, then the person attacked focuses their efforts on 'defending' themselves, rather than on a fair unbiased review of what *should* be the 'issue'. Fair call. To make a point requires nothing more than well-established facts. But name-calling and mindless accusations are an ego-driven thing. Once someone invests their arguments with ego, you cannot count on anything they say being accurate to any degree. They will literally say anything to advance their 'cause' and 'win' whatever argument they have joined. I'd have to agree on this point. My missus does this all of the time. She will know she is wrong, and still tell me until blue in the teeth that she's right about said topic.. So I guess what you're saying here is that it's no longer possible to do what we did in the old days and just 'ignore the troll'.. Someone has to stir the pot occasionally, and it doesn't hurt to have someone around that makes you think outside the square. Interestingly enough, *I* have stirred this same pot a couple of times, with very little effect. So while it is a reasonable argument that being offensive and abusive fails to achieve results, I have to admit that being quiet and deferring in tone also has little effect. So I wonder, what *does* it take for the 'amateurs' (that would be folks like me! *grin*) to bring a possible issue to the attention of the people in the 'know', and have it discussed? If you ask me, it's the whole newbie thing. People with lesser knowledge/skills are probably too afraid to raise issues, thinking that their issue is probably caused by their own ignorance, or lack of experience. I know I've felt like this before, and have certainly been made to feel rather stupid after asking certain questions - this is not specific to this mailing list, but mailing lists in general. I ask again, on the issue of whitelists, is there a serious issue with spammers targetting white-listed IP's as favored candidates for hacking? I'm okay with the answer being 'no'. I'm sure people with large servers and good statistics could answer this question. But I get no answer at all. I don't think it is because of any conspiracy. But perhaps the people who know are just too busy? To answer the first question : No. We do not have any problems with Spam or hacking regarding our Mail gateway, using Spamassassin. Any Spam that has slipped through in the last several months certainly have not had any SA Default Whitelist scores assigned to them whatsoever. If anything, spam that gets through our system is stuff that hits almost no rules at all (positive or negative). Statistics are at the end of this E-Mail. I think one of the issues with getting information from people that aren't having any problems is the fact that they probably can't be bothered posting if they don't have any issues to resolve. What do you think? Statistics Since Thursday 04th Jun, 2009 RBL Reject: 8480229 HELO Reject:5827978 Clean Messages: 2014848 Invalid Recipients: 277983 Spam Messages: 228941 Relay Denied: 26112 Virus Messages: 2588 Total Messages Processed: 16858679 I get all of the Spam messages that slip through the system submitted to a public folder on our network, and analyse the headers for what rules did/did not fire. As previous, I've not seen any Spam that has default SA whitelist scores associated.
hacking whitelists (was Re: [sa] RE: emailreg.org - tainted white list)
On Dec 14, 2009, at 1:35 PM, Charles Gregory wrote: I ask again, on the issue of whitelists, is there a serious issue with spammers targetting white-listed IP's as favored candidates for hacking? I'm okay with the answer being 'no'. I'm sure people with large servers and good statistics could answer this question. But I get no answer at all. I don't think it is because of any conspiracy. But perhaps the people who know are just too busy? We're fairly certain the bad guys haven't been targeting whitelists (ours, or others) -- yet. Occasionally some spam will come from a whitelisted IP after a server gets infected, but then that IP doesn't stay whitelisted for very long -- and there's no proof that the botnet operator had any idea the IP was whitelisted. Besides, there's not all that much value for them. When the big ISPs use whitelists like ours, they'll give IPs on the list a lot of leeway -- but not a free pass forever. There are still volume limits (though higher than for non-whitelisted IPs), and they're still watching complaint rates. If there's a problem, they'll let us know. It's very similar to how SpamAssassin uses whitelists: enough points are subtracted to override /some/ spam rules, but not all. When a message is extremely spammy, the whitelist won't be enough to rescue it. And that's how it should be. All that said, I think it's only a matter of time until the bad guys DO intentionally go after whitelisted IPs, or (worse) whitelisting services. We'll detect if spam suddenly starts coming from any IP we're monitoring, and it won't stay whitelisted for long -- that's the core of our program. We've also put a lot of effort into the security of our own systems. I've been involved with computer security issues for too long to say it could never ever happen, but I can say we're always watching. -- J.D. Falk jdf...@returnpath.net Return Path Inc