Re: rule explanation
Jean-Paul Natola wrote: > Hi everyone, > > I'm trying to grasp the concept of making rules- I was hoping someone can > explain what exactly does this mean; > > 9s/0h of 68401 corpus (53647s/14754h ML) 02/13/06 > Reading the line backwards: The rule was tested against a corpus (hand sorted collection of email) on 02/13/06. The corpus was composed of 53647 of spam messages, and 14754 nonspam, for a total of 68401 messages. During the test, the rule matched 0 nonspam messages and 9 spam messages.
Re: "Nigerian Connection" Spam was: [***SPAM***Empty Subject] [signed]
Am/On Tue, 10 Apr 2007 20:23:15 +0100 schrieb/wrote Paul Hurley: >I've received a couple of Spam recently similar to the attached. They >all get through, and all trigger on Empty_Message, except the message >body isn't empty, and it contains some phrases that I would expect to >score off the scale > >Here's the spamassassin report > >No, score=4.0 required=6.0 tests=BAYES_50=0.001, EMPTY_MESSAGE=2.308, >HTML_40_50=0.496, HTML_MESSAGE=0.1, RM_rb_ANCHOR=0.001, >RM_rb_BREAK=0.001, RM_rb_FONT=0.001, RM_rb_PARA=0.001, >SUBJ_ALL_CAPS=0.997, cust_LOCAL_TO_RCVD=0.1 autolearn=no version=3.1.7 > >I'm running Spamassassin V3.1.7.0 on Windows 32 via SAWin32 >(http://sourceforge.net/projects/sawin32/) with all rules, network tests >and some of the common SARE rules. "Nigerian Connection" Spam. They get rejected here becaue there domain is usualy invalid. Thanks and all the best Matthias -- - [ SECURITY NOTICE ] - To: [EMAIL PROTECTED], [EMAIL PROTECTED] For your security, [EMAIL PROTECTED] digitally signed this message on 11 April 2007 at 01:40:00 UTC. Verify this digital signature at http://www.ciphire.com/verify. [ CIPHIRE DIGITAL SIGNATURE ] Q2lwaGlyZSBTaWcuAjhwYXVsQHBhdWxodXJsZXkuY28udWssIHVzZXJzQHNwYW1h c3Nhc3Npbi5hcGFjaGUub3JnAGJldGFAYWRtaWxvbi5uZXQAZW1haWwgYm9keQAK AwAAfAB8AQAAAHA8HEYKAwAAmAEAAgACAAIAIP0CLbVXygN8FBmbKstMB6Jc Udhet15IFf/4MQhzNWDdAQAOv7grZzUb4WQMq69DnEJONRUGHRTIcfvZQaPqa3Pm dm4b4Bm+V6n6NWLb47GK0rK19oGWm3wR45PhHKNM5taXuD6LU2lnRW5k -- [ END DIGITAL SIGNATURE ] --
RE: Spam bounceback attack
On Tue, 10 Apr 2007, J. wrote: > Thanks. Ok, I did some looking around and decided that > http://qmail.jms1.net has the patch for me > (netqmail-1.05-validrcptto.cdb.patch). The problem is that it seems > that when people have tried to patch the Gentoo version of netqmail > they get errors. Has anyone here gotten this working under Gentoo? I'd respectfully suggest that the Gentoo forums is the place to pursue this going forward, and that you might want to open a feature-request Gentoo bugzilla entry for adding that patch to the qmail package with a USE option so that others may benefit from it. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Phobias should not be the basis for laws. --- 3 days until Thomas Jefferson's 264th Birthday
Re: Spam bounceback attack
J. wrote: Thanks. Ok, I did some looking around and decided that http://qmail.jms1.net has the patch for me (netqmail-1.05-validrcptto.cdb.patch). The problem is that it seems that when people have tried to patch the Gentoo version of netqmail they get errors. Has anyone here gotten this working under Gentoo? Thanks. The Gentoo emerge build of qmail is not recommended. You'll be much better off building from source. I don't use it myself but I've heard horror stories from people on th list. Another option, that we use, is http://www.shupp.org and the toaster patch. That way clients can login and add users and all invalid users are rejected (users don't have to actually be local, you can remove the domains from virtualdomains, the user check will still work but the smtproutes will be followed). More info off list if you want. Regards, Rick
RE: Spam bounceback attack
--- R Lists06 <[EMAIL PROTECTED]> wrote: > > Jason wrote: > > Thanks Jim and John, that helps a lot. I'm glad that qmail is like > this > > by default because otherwise my setup would be to blame. :) I'm > using > > qmail to handle incoming and outgoing mail for my domain but using > a > > very old lan based mail server to actually deliver mail to our > users so > > the qmail machine doesn't have any idea who's a valid user and who > > isn't, all non-junk goes into a single mailbox which our lan server > > then retrieves via pop. Outbound works similarly where our lan > server > > relays through the qmail machine (no it's not an open relay). > > > > I'm loking at this patch at the moment: > > > > http://http.netdevice.com:9080/qmail/patch/goodrcptto-12.patch > > > > ...but will also look at the ones Jim suggested. Thanks again. > > > > -Jason > > > > We highly recommend John Simpson's http://qmail.jms1.net and the > validrcptto > patch as well. > > There is actually a group of patches that John Simpson rolled into > one > > Many goodies there that can be utilized... > > He started that as an addon in regards to and with > http://www.qmailrocks.org > and there is still good info although the site hasn't been as well > kept as > it could have been the last 6 to 12 months. > > There are many other items and links to check out on > http://qmail.jms1.net > as well... > > If you know and understand everything on that site and a coupla > others > related to it, you will do extremely well with your mail server > overall. > > Of course, the tie in is that at some point I had to better learn > about > Spamassassin and joined here for that. > > Kind regards, > > - rh Thanks. Ok, I did some looking around and decided that http://qmail.jms1.net has the patch for me (netqmail-1.05-validrcptto.cdb.patch). The problem is that it seems that when people have tried to patch the Gentoo version of netqmail they get errors. Has anyone here gotten this working under Gentoo? Thanks. -Jason Don't pick lemons. See all the new 2007 cars at Yahoo! Autos. http://autos.yahoo.com/new_cars.html
RE: How would i write this rule?
Adam Lanier wrote:
> Peter Russell wrote:
>
> >
> > Sorry last question - seems the parent company is doing spam checks
> > and adds the spam score to the headers.
> >
> > How could i add/change the second condition for a spam score
> > greater than 10.00 ?
> >
> > the header is X-Spam-Score: *** (11.507)
> >
> > Many thanks
> > Pete
>
> To ask the obvious question, why are you doing spam checks if the
> upstream relay is also doing them?
>
> Based on my performance yesterday, there's almost assuredly something
> wrong with the following but...
>
> header__HIGH_SA_SCOREX-Spam-Score =~ /\*{10,}/
> meta SPAM_FROM_RELAY__GATEWAY_RELAY && __NOT_PAR_DOMAIN &&
> __HIGH_SA_SCORE
Since you don't care what the actual score is and you are not anchoring
the end of the expression, you can simplify this to:
header__HIGH_SA_SCOREX-Spam-Score =~ /\*{10}/
In other words... Match if the header contains ten asterisks. You
don't care if it has exactly ten or more than ten. As long as there are
ten asterisks in there somewhere, it will match.
--
Bowie
Re: OEM software spam-
Jean-Paul Natola wrote: Hi all, I'm getting killed with a slew of "OEM SOFTWARE" spams I'm trying to add scores to these as they are not scoring anything at all 0.0 HTML_MESSAGE BODY: HTML included in message Not a direct indicator as spam. A ton of ham hits this rule 0.0 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL I use PBL (well actually zen) to block at MTA And increase this one 1.9 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words Watch out for the "here's the pics" type messages with attached images. Or even short messages with a gif background that can FP if the scores are too high.
OEM software spam-
Hi all, I'm getting killed with a slew of "OEM SOFTWARE" spams I'm trying to add scores to these as they are not scoring anything at all 0.0 HTML_MESSAGE BODY: HTML included in message 0.0 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL And increase this one 1.9 HTML_IMAGE_ONLY_12 BODY: HTML: images with 800-1200 bytes of words Jean-Paul Natola Network Administrator Information Technology Family Care International 588 Broadway Suite 503 New York, NY 10012 Phone:212-941-5300 xt 36 Fax: 212-941-5563 Mailto: [EMAIL PROTECTED]
Bad file descriptor
I use spamassassin3.1.7_1 I rarely get a warning from the SA like below; warn: prefork: select returned -1! recovering: Bad file descriptor What should I do not to give such as above an error?
RE: Spam bounceback attack
> Jason wrote: > Thanks Jim and John, that helps a lot. I'm glad that qmail is like this > by default because otherwise my setup would be to blame. :) I'm using > qmail to handle incoming and outgoing mail for my domain but using a > very old lan based mail server to actually deliver mail to our users so > the qmail machine doesn't have any idea who's a valid user and who > isn't, all non-junk goes into a single mailbox which our lan server > then retrieves via pop. Outbound works similarly where our lan server > relays through the qmail machine (no it's not an open relay). > > I'm loking at this patch at the moment: > > http://http.netdevice.com:9080/qmail/patch/goodrcptto-12.patch > > ...but will also look at the ones Jim suggested. Thanks again. > > -Jason > We highly recommend John Simpson's http://qmail.jms1.net and the validrcptto patch as well. There is actually a group of patches that John Simpson rolled into one Many goodies there that can be utilized... He started that as an addon in regards to and with http://www.qmailrocks.org and there is still good info although the site hasn't been as well kept as it could have been the last 6 to 12 months. There are many other items and links to check out on http://qmail.jms1.net as well... If you know and understand everything on that site and a coupla others related to it, you will do extremely well with your mail server overall. Of course, the tie in is that at some point I had to better learn about Spamassassin and joined here for that. Kind regards, - rh -- Abba Communications Internet PO Box 7175 Spokane, WA 99207-7175 www.abbacomm.net
Re: Empty Subject
On Tue, Apr 10, 2007 at 08:23:15PM +0100, Paul Hurley wrote: > I've received a couple of Spam recently similar to the attached. They > all get through, and all trigger on Empty_Message, except the message > body isn't empty, and it contains some phrases that I would expect to > score off the scale > > I'm running Spamassassin V3.1.7.0 on Windows 32 via SAWin32 > (http://sourceforge.net/projects/sawin32/) with all rules, network tests > and some of the common SARE rules. > > Any ideas ??? I would guess that SAWin32 is not sending things validly to SA. Something like a blank line at the top of the header, etc. -- Randomly Selected Tagline: "There are all of these warnings and incantations and unnatural rituals and everything's veiled in this threat of "you mess with the mayo, the mayo mess with you, man." - Alton Brown, Good Eats, "Mayo Clinc" pgp7Jl7kqivHr.pgp Description: PGP signature
Re: Spam bounceback attack
--- Jim Maul <[EMAIL PROTECTED]> wrote: > John D. Hardin wrote: > > On Tue, 10 Apr 2007, J. wrote: > > > >> I didn't realize that most people are denying smtp connections for > >> bad addresses. That's great that this is possible. So most of the > >> people on this list reject connections that are for bad addresses? > >> That's great. I think that would cut down the spam we get by 90%. > >> I had no idea this was possible. > > > > That's not *quite* what we're talking about. Sorry if this is a > rehash > > of what you already know: > > > > Proper behavior is to check addresses *during* the SMTP > conversation > > with the submitting MTA/MUA, and reject invalid/nonexistent address > as > > the other guy submits them. If any valid addresses are submitted, > the > > mail goes through. If no valid addresses are submitted, it is up to > > the *other guy* to take some action, such as notifying the sender > the > > mail couldn't be delivered. The connection itself is not blocked or > > rejected, though you could set up a log watcher to detect IPs that > > continually submit bad addresses and firewall/tarpit them. > > > > A bulk spam mail tool will likely just ignore the "no such address" > > > rejections, leading to no additional impact on innocent third > parties. > > > > Contrast this with having your MTA accept the message for delivery, > > > pass the message on down the chain, and then have some later step > > realize the address is invalid and generate a notice to the sender > > address that the message was undeliverable. > > > > You're now generating outbound mail based on a spam you received. > This > > is bad. > > > > If the address was forged and nonexistent, your bounce will be > > rejected by the supposed sender's MTA; that's not as bad as > actually > > delivering a bounce to a real user, but you're still generating > > pointless traffic to some innocent third party. > > > > Multiply that by the millions of messages in a typical spam run and > > > you can get a DDoS against whatever address or domain was forged on > > > the spams as the sender address. > > > > Rejecting the addresses during the SMTP conversation doesn't > generate > > this extra traffic. > > > > Configuring your MTA to refuse to accept nonexistent addresses is > > typically a boolean option in its basic configuration settings, not > > something esoteric requiring complex addons. Any MTA that doesn't > > support this basic capability is badly broken by current standards. > > > > Some MTAs will also allow you to slow down the SMTP conversation > (e.g. > > pause a few seconds before sending responses) if more than a few > bad > > addresses are submitted, to mitigate against dictionary attacks. > > > > > > qmail, which i believe the OP was using is one of these "badly broken > by > current standards" MTAs as you put it. By default, it accepts ALL > mail > regardless of the validity of the recipient. It will then generate a > > bounce to the (most likely) forged address when it figures out the > recipient does not exist. There are many addons/patches to correct > this > behavior. I would check (using something other than IE) > http://qmail.jms1.net for general information and useful patches. > And > more specifically, > http://qmail.jms1.net/patches/validrcptto.cdb.shtml > which gives you the ability to reject invalid recipients at SMTP > time. Thanks Jim and John, that helps a lot. I'm glad that qmail is like this by default because otherwise my setup would be to blame. :) I'm using qmail to handle incoming and outgoing mail for my domain but using a very old lan based mail server to actually deliver mail to our users so the qmail machine doesn't have any idea who's a valid user and who isn't, all non-junk goes into a single mailbox which our lan server then retrieves via pop. Outbound works similarly where our lan server relays through the qmail machine (no it's not an open relay). I'm loking at this patch at the moment: http://http.netdevice.com:9080/qmail/patch/goodrcptto-12.patch ...but will also look at the ones Jim suggested. Thanks again. -Jason Finding fabulous fares is fun. Let Yahoo! FareChase search your favorite travel sites to find flight and hotel bargains. http://farechase.yahoo.com/promo-generic-14795097
rule explanation
Hi everyone, I'm trying to grasp the concept of making rules- I was hoping someone can explain what exactly does this mean; 9s/0h of 68401 corpus (53647s/14754h ML) 02/13/06 Jean-Paul Natola Network Administrator Information Technology Family Care International 588 Broadway Suite 503 New York, NY 10012 Phone:212-941-5300 xt 36 Fax: 212-941-5563 Mailto: [EMAIL PROTECTED]
Re: Spam bounceback attack
John D. Hardin wrote: On Tue, 10 Apr 2007, J. wrote: I didn't realize that most people are denying smtp connections for bad addresses. That's great that this is possible. So most of the people on this list reject connections that are for bad addresses? That's great. I think that would cut down the spam we get by 90%. I had no idea this was possible. That's not *quite* what we're talking about. Sorry if this is a rehash of what you already know: Proper behavior is to check addresses *during* the SMTP conversation with the submitting MTA/MUA, and reject invalid/nonexistent address as the other guy submits them. If any valid addresses are submitted, the mail goes through. If no valid addresses are submitted, it is up to the *other guy* to take some action, such as notifying the sender the mail couldn't be delivered. The connection itself is not blocked or rejected, though you could set up a log watcher to detect IPs that continually submit bad addresses and firewall/tarpit them. A bulk spam mail tool will likely just ignore the "no such address" rejections, leading to no additional impact on innocent third parties. Contrast this with having your MTA accept the message for delivery, pass the message on down the chain, and then have some later step realize the address is invalid and generate a notice to the sender address that the message was undeliverable. You're now generating outbound mail based on a spam you received. This is bad. If the address was forged and nonexistent, your bounce will be rejected by the supposed sender's MTA; that's not as bad as actually delivering a bounce to a real user, but you're still generating pointless traffic to some innocent third party. Multiply that by the millions of messages in a typical spam run and you can get a DDoS against whatever address or domain was forged on the spams as the sender address. Rejecting the addresses during the SMTP conversation doesn't generate this extra traffic. Configuring your MTA to refuse to accept nonexistent addresses is typically a boolean option in its basic configuration settings, not something esoteric requiring complex addons. Any MTA that doesn't support this basic capability is badly broken by current standards. Some MTAs will also allow you to slow down the SMTP conversation (e.g. pause a few seconds before sending responses) if more than a few bad addresses are submitted, to mitigate against dictionary attacks. qmail, which i believe the OP was using is one of these "badly broken by current standards" MTAs as you put it. By default, it accepts ALL mail regardless of the validity of the recipient. It will then generate a bounce to the (most likely) forged address when it figures out the recipient does not exist. There are many addons/patches to correct this behavior. I would check (using something other than IE) http://qmail.jms1.net for general information and useful patches. And more specifically, http://qmail.jms1.net/patches/validrcptto.cdb.shtml which gives you the ability to reject invalid recipients at SMTP time. -Jim
Re: Help with rule
Steven Stern wrote:
I suspect a rule that looks for "www*pill*org" would work. How do I turn
that into a regex?
Basic: /www.*pill.*org/
Slightly optimized: /www.{1,30}pill.{1,30}org/
.matches any character.
*means anywhere 0 or more of the preceding item, so
.* matches 0 or more of any character.
{X,Y} means anywhere from X to Y of the preceding item.
You don't want to use .* in a SA rule, though, because if it matches
"www" it'll keep looking for a long time until it finds "pill" or runs
out of text to look at. .{1,30} will match 1 to 30 of any character in
a row, so if it finds "www" it will only look through 30 characters for
"pill"
You can also make it more specific, matching things only at word
boundaries, etc.
There's a good tutorial and reference at www.regular-expressions.info --
one of the few legit .info names I've seen.
--
Kelson Vibber
SpeedGate Communications
Re: Spam bounceback attack
--- ram <[EMAIL PROTECTED]> wrote: > On Mon, 2007-04-09 at 07:18 -0700, J. wrote: > > --- ram <[EMAIL PROTECTED]> wrote: > > > > > On Sun, 2007-04-08 at 11:14 -0700, J. wrote: > > > > Not sure if this is connected to my agressive smtp connection > > > rejection > > > > campaign over the past week, but we've been hit for the first > time > > > in > > > > many months with a backscatter spam attack. Spammer(s) use > random > > > > addresses with our domain for their spamming so we get the > flood > > > > (13000+ since midnight) of bounces. > > > > > > > > Is there a good way to deal with this? 70-80% are getting > caught by > > > > spamassassin, but there are still thousands that get through > and I > > > have > > > > to filter manually (maildrop). Also, I hate the servers that > just > > > keep > > > > the subject line intact when they bounce a message because I > can't > > > > figure out how to filter those. As it is I'm already filtering > over > > > 30 > > > > different subject line types to catch different types of > bounces. > > > And > > > > how to I find the legitimate bounces in that haystack? It's a > lot > > > of > > > > fun! > > > > > > > > Thanks. > > > > > > 1) Verify recipient addresses > > > 2) Add SPF records for your domain. And blacklist those servers > who > > > accept forged mails from your domain and bounce them > > > 3) If you are suddenly facing a flush of Mailer-"Demons" give a > > > TEMPFAIL > > > for <> , not a great idea but sometimes you have to do this to > save > > > your mail server :-) > > > > Thanks Ram. Not sure how to implement recipient verification with > my > > setup, but I'll look into it. I have an SPF record for my domain > > installed afaik and I'm using the plugin for spamassassin that > scores > > non-spf emails. When these types of attacks happen we get about > 15,000 > > bounces per day so I don't know how to blacklist every server that > > sends bounces without looking at the ip address of every email. > > > No your bounces will notbe nonspf mails. They wil be from <> which > you > must accept. Adding SPF checks allows servers not to accept forged > messages from your domain, if they still do and the plan to send you > NDR's IMHO you have every right to blacklist them ( YMMV ) > > > Blacklisting usually is best done at the firewall, a 10 liner > perlscript > will give you all ips , simply drop packets at your firewall for such > ips and keep refreshing the lists > > Recipient address verification is an *Absolute must*. If you dont do > that you will get your own server into trouble and get them listed in > all RBLs Just like you are cursing mailservers that are flooding you > with backscatter your server too may be generating backscatter for > others. Dont be a part of the problem please We're using the version of qmail smtp that does rbl checking so hopefully one of those recipient checking patches will work. I didn't realize that most people are denying smtp connections for bad addresses. That's great that this is possible. So most of the people on this list reject connections that are for bad addresses? That's great. I think that would cut down the spam we get by 90%. I had no idea this was possible. Now that's room service! Choose from over 150,000 hotels in 45,000 destinations on Yahoo! Travel to find your fit. http://farechase.yahoo.com/promo-generic-14795097
Re: Spam bounceback attack
On Tue, 10 Apr 2007, J. wrote: > I didn't realize that most people are denying smtp connections for > bad addresses. That's great that this is possible. So most of the > people on this list reject connections that are for bad addresses? > That's great. I think that would cut down the spam we get by 90%. > I had no idea this was possible. That's not *quite* what we're talking about. Sorry if this is a rehash of what you already know: Proper behavior is to check addresses *during* the SMTP conversation with the submitting MTA/MUA, and reject invalid/nonexistent address as the other guy submits them. If any valid addresses are submitted, the mail goes through. If no valid addresses are submitted, it is up to the *other guy* to take some action, such as notifying the sender the mail couldn't be delivered. The connection itself is not blocked or rejected, though you could set up a log watcher to detect IPs that continually submit bad addresses and firewall/tarpit them. A bulk spam mail tool will likely just ignore the "no such address" rejections, leading to no additional impact on innocent third parties. Contrast this with having your MTA accept the message for delivery, pass the message on down the chain, and then have some later step realize the address is invalid and generate a notice to the sender address that the message was undeliverable. You're now generating outbound mail based on a spam you received. This is bad. If the address was forged and nonexistent, your bounce will be rejected by the supposed sender's MTA; that's not as bad as actually delivering a bounce to a real user, but you're still generating pointless traffic to some innocent third party. Multiply that by the millions of messages in a typical spam run and you can get a DDoS against whatever address or domain was forged on the spams as the sender address. Rejecting the addresses during the SMTP conversation doesn't generate this extra traffic. Configuring your MTA to refuse to accept nonexistent addresses is typically a boolean option in its basic configuration settings, not something esoteric requiring complex addons. Any MTA that doesn't support this basic capability is badly broken by current standards. Some MTAs will also allow you to slow down the SMTP conversation (e.g. pause a few seconds before sending responses) if more than a few bad addresses are submitted, to mitigate against dictionary attacks. HTH. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Think Microsoft cares about your needs at all? "A company wanted to hold off on upgrading Microsoft Office for a year in order to do other projects. So Microsoft gave a 'free' copy of the new Office to the CEO -- a copy that of course generated errors for anyone else in the firm reading his documents. The CEO got tired of getting the 'please re-send in XX format' so he ordered other projects put on hold and the Office upgrade to be top priority."-- Cringely, 4/8/2004 --- 3 days until Thomas Jefferson's 264th Birthday
Re: Help with rule
On Tue, 10 Apr 2007, John D. Hardin wrote:
> On Tue, 10 Apr 2007, Steven Stern wrote:
>
> > Just type www [.] pillking [.] org
> > Just type www [.]
> > pillking [.] > color=#ff>org
> >
> >Just type www [dot] pilldoc [dot] org
> >
> > I suspect a rule that looks for "www*pill*org" would work. How do I turn
> > that into a regex?
>
> Perhaps something like:
>
> body OBFUSC_PILL_URI /\bwww\b.{3,50}\bpill.{3,50}\borg\b/i
Actually, body matches strip out HTML markup so you could tighten it
up a bit:
body OBFUSC_PILL_URI /\bwww\b.{3,10}\bpill.{3,15}\borg\b/i
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
Think Microsoft cares about your needs at all?
"A company wanted to hold off on upgrading Microsoft Office for a
year in order to do other projects. So Microsoft gave a 'free' copy
of the new Office to the CEO -- a copy that of course generated
errors for anyone else in the firm reading his documents. The CEO
got tired of getting the 'please re-send in XX format' so he
ordered other projects put on hold and the Office upgrade to be top
priority."-- Cringely, 4/8/2004
---
3 days until Thomas Jefferson's 264th Birthday
Re: Spam bounceback attack
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Apr 10, 2007, at 12:13 PM, J. wrote: Recipient address verification is an *Absolute must*. If you dont do that you will get your own server into trouble and get them listed in all RBLs Just like you are cursing mailservers that are flooding you with backscatter your server too may be generating backscatter for others. Dont be a part of the problem please We're using the version of qmail smtp that does rbl checking so hopefully one of those recipient checking patches will work. I didn't realize that most people are denying smtp connections for bad addresses. That's great that this is possible. So most of the people on this list reject connections that are for bad addresses? That's great. I think that would cut down the spam we get by 90%. I had no idea this was possible. ??? There are all sorts of ways to reject bad addresses. Mail servers *must* reject unknown recipients; it's not just common practice, it's the only sane thing to do. Why waste resources for nonexistent addresses? Here's a link that has links for many MTA's. http://spamlinks.net/prevent-secure-backscatter.htm David Morton Maia Mailguard http://www.maiamailguard.com [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iD8DBQFGG8fuUy30ODPkzl0RAsyjAJ47RTzHHwEInBTFDrpAJ15KQNRtdQCfTQJ7 5Jqsc1gIM4ttDVkxhTf6E/Y= =Lewd -END PGP SIGNATURE-
Re: Help with rule
On Tue, 10 Apr 2007, Steven Stern wrote:
> Just type www [.] pillking [.] org
> Just type www [.]
> pillking [.] color=#ff>org
>
>Just type www [dot] pilldoc [dot] org
>
> I suspect a rule that looks for "www*pill*org" would work. How do I turn
> that into a regex?
Perhaps something like:
body OBFUSC_PILL_URI /\bwww\b.{3,50}\bpill.{3,50}\borg\b/i
--
John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
[EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
---
It is not the business of government to make men virtuous or
religious, or to preserve the fool from the consequences of his own
folly. -- Henry George
---
3 days until Thomas Jefferson's 264th Birthday
mistakes with sending email address to list
Greetings, I would appreciate it if the list admins would make it so that "mistake" (emails with wrong sending email address) would bounce instead of being allowed to make it to the list please? Comments? -rh -- Abba Communications Internet PO Box 7175 Spokane, WA 99207-7175 www.abbacomm.net
Starting over with bayes
My bayes seems to be a mess, consistently knocking down scores. I have it disabled now and want to rebuild. I assume I can just wipe out the .seen, .token, etc. files and it will rebuild on its own? Also, I have two servers in two different locations and would like to share the bayes database between them, mysql? If so, can someone point me to some good info on how to set that up? -- Robert
Re: Bypassing BOTNET rules
Depending on which bypass/exemption you're going to use, either 4servers\.com or the IP address are what you want to use. The "bluehill.com" part is the smtp HELO argument, and botnet currently ignores that. Robert Fitzpatrick wrote: I applied BOTNET rules yesterday and have some legitimate mail getting blocked and looking for the best way to bypass. I added 'bluehill\.com' to the list of botnet_pass_domains, is that correct or should I be adding '4servers\.com' or both? Received: from bluehill.com (67-30-129-1.4servers.com [67.30.129.1]) by esmtp.webtent.net (WebTent ESMTP Postfix Internet Mail Gateway) with ESMTP i$ for <[EMAIL PROTECTED]>; Tue, 10 Apr 2007 08:20:27 -0400 (EDT)
Re: Spam bounceback attack
On Mon, 2007-04-09 at 07:18 -0700, J. wrote: > --- ram <[EMAIL PROTECTED]> wrote: > > > On Sun, 2007-04-08 at 11:14 -0700, J. wrote: > > > Not sure if this is connected to my agressive smtp connection > > rejection > > > campaign over the past week, but we've been hit for the first time > > in > > > many months with a backscatter spam attack. Spammer(s) use random > > > addresses with our domain for their spamming so we get the flood > > > (13000+ since midnight) of bounces. > > > > > > Is there a good way to deal with this? 70-80% are getting caught by > > > spamassassin, but there are still thousands that get through and I > > have > > > to filter manually (maildrop). Also, I hate the servers that just > > keep > > > the subject line intact when they bounce a message because I can't > > > figure out how to filter those. As it is I'm already filtering over > > 30 > > > different subject line types to catch different types of bounces. > > And > > > how to I find the legitimate bounces in that haystack? It's a lot > > of > > > fun! > > > > > > Thanks. > > > > 1) Verify recipient addresses > > 2) Add SPF records for your domain. And blacklist those servers who > > accept forged mails from your domain and bounce them > > 3) If you are suddenly facing a flush of Mailer-"Demons" give a > > TEMPFAIL > > for <> , not a great idea but sometimes you have to do this to save > > your mail server :-) > > Thanks Ram. Not sure how to implement recipient verification with my > setup, but I'll look into it. I have an SPF record for my domain > installed afaik and I'm using the plugin for spamassassin that scores > non-spf emails. When these types of attacks happen we get about 15,000 > bounces per day so I don't know how to blacklist every server that > sends bounces without looking at the ip address of every email. No your bounces will notbe nonspf mails. They wil be from <> which you must accept. Adding SPF checks allows servers not to accept forged messages from your domain, if they still do and the plan to send you NDR's IMHO you have every right to blacklist them ( YMMV ) Blacklisting usually is best done at the firewall, a 10 liner perlscript will give you all ips , simply drop packets at your firewall for such ips and keep refreshing the lists Recipient address verification is an *Absolute must*. If you dont do that you will get your own server into trouble and get them listed in all RBLs Just like you are cursing mailservers that are flooding you with backscatter your server too may be generating backscatter for others. Dont be a part of the problem please Thanks Ram
Re: spam test
The last one is the lowest scoring here, look at the results: For the first mail: Content analysis details: (13.2 points, 5.0 required) pts rule name description -- -- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails -0.0 SPF_PASS SPF: sender matches SPF record 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5751] 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [88.155.128.48 listed in dnsbl.sorbs.net] 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [88.155.128.48 listed in zen.spamhaus.org] 7.0 BOUNCE_MESSAGE MTA bounce message 0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce message The second one: Content analysis details: (14.2 points, 5.0 required) pts rule name description -- -- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails -0.0 SPF_PASS SPF: sender matches SPF record 1.0 DC_IMG_TEXT_RATIO BODY: Low body to pixel area ratio 0.5 HTML_IMAGE_RATIO_02BODY: HTML has a low ratio of text to image area 0.0 HTML_MESSAGE BODY: HTML included in message 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 0.5 HTML_IMAGE_ONLY_16 BODY: HTML: images with 1200-1600 bytes of words 0.6 SARE_SPEC_LEO_LINE03e RAW: common Leo body text 1.0 DC_IMG_HTML_RATIO RAW: Low rawbody to pixel area ratio 7.0 BOUNCE_MESSAGE MTA bounce message 0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce message The third one: Content analysis details: (14.1 points, 5.0 required) pts rule name description -- -- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails -0.0 SPF_PASS SPF: sender matches SPF record 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5442] 3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [84.2.4.148 listed in zen.spamhaus.org] 3.0 BOTNET BOTNET 7.0 BOUNCE_MESSAGE MTA bounce message 0.1 ANY_BOUNCE_MESSAGE Message is some kind of bounce message And finaly, the low one: Content analysis details: (5.8 points, 5.0 required) pts rule name description -- -- -0.0 SPF_HELO_PASS SPF: HELO matches SPF record 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails 0.3 RCVD_ILLEGAL_IPReceived: contains illegal IP address 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [12.162.173.226 listed in dnsbl.sorbs.net] I give the BOUNCE_MESSAGE a high score because the bonce backs were driving me (and my users) mad. So I just throw them away. I know it's not very RFC-something style, but works like a charm ;-) Luix 2007/4/10, Spamassassin List <[EMAIL PROTECTED]>: > http://hege.li/howto/spam/spamassassin.html Remove everything from Botnet.cf RULES-section and set it up this way: Does the above line mean to remove from the # THE RULES? regards -- - GNU-GPL: "May The Source Be With You... -
whitelist_from_rcvd questions
Greets, Can lines be combined in a situation like this whitelist_from_rcvd [EMAIL PROTECTED] hisdomain.com whitelist_from_rcvd [EMAIL PROTECTED] hisotherdomain.com does this work or should this be done? can they be combined into one statement or should they be separate? Any other tips etc? Thanks! - rh -- Abba Communications Internet & Computer Services PO Box 7175 Spokane, WA 99207-7175 www.abbacomm.net
Bypassing BOTNET rules
I applied BOTNET rules yesterday and have some legitimate mail getting blocked and looking for the best way to bypass. I added 'bluehill\.com' to the list of botnet_pass_domains, is that correct or should I be adding '4servers\.com' or both? Received: from esmtp.webtent.net ([127.0.0.1]) by localhost (esmtp.webtent.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hnLlQBEIQsOo for <[EMAIL PROTECTED]>; Tue, 10 Apr 2007 08:20:27 -0400 (EDT) Received: from bluehill.com (67-30-129-1.4servers.com [67.30.129.1]) by esmtp.webtent.net (WebTent ESMTP Postfix Internet Mail Gateway) with ESMTP i$ for <[EMAIL PROTECTED]>; Tue, 10 Apr 2007 08:20:27 -0400 (EDT) Received: from bluehill.com (localhost [127.0.0.1]) by bluehill.com (8.13.1/8.12.10) with ESMTP id l3ACKQxT013801; Tue, 10 Apr 2007 05:20:26 -0700 Received: (from [EMAIL PROTECTED]) by bluehill.com (8.13.1/8.13.5/Submit) id l3ACKNka013799; Tue, 10 Apr 2007 05:20:23 -0700 -- Robert
Help with rule
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm trying to flag a type of spam that seems to be slipping through with a very low score The common factor is that all of the messages have something linke Just type www [.] pillking [.] org Just type www [.] pillking [.] org Just type www [dot] pilldoc [dot] org I suspect a rule that looks for "www*pill*org" would work. How do I turn that into a regex? - -- Steve -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iD8DBQFGG4BveERILVgMyvARAvKDAJ40E2quDemGCoFIheL8XFkgjRcWegCfSDiI hmR+79G9K1DQJHIN0lI8I6g= =yqRq -END PGP SIGNATURE-
RE: Email service that does graylisting/razor/spamfiltering/etc?
Kelly,
I provide just such a service. It does everything you've asked except not
the challenge/response. Additionally, I'd be reluctant to take on a client
who required "catch-all" accounts, or, as you described [EMAIL PROTECTED]
...because this can place a tremendous burden on a spam filter. For example,
in testing, one of my clients for whom I provide this service would have had
40 times the number of their combined hams/spams in volume of mail if
catch-all is turned on, due to dictionary attacks alone. (In case you missed
that, this would be a 40,000% increase in volume resulting from allowing
dictionary attacks through!)
But here are the upsides:
(1) My filtering is of such high quality that you won't miss not having the
challenge/response. (IMO, challenge/response is for wimpy spam filters!)
(2) Even though I don't allow "catch-all" accounts, (a.) I can turn
"catch-all" on for short periods of time if that would help in "finding"
lost aliases that you'd forgotten (b.) Extra "throw-away" aliases attached
to the same e-mail account are unlimited and do NOT increase my prices.
(3) I've been heavily involved in SURBL (and to a lesser extent, URIBL) for
years and, therefore, I've worked towards a quality of filtering that far
exceeds the major "famous" providers, both in terms of spam caught and legit
mail not caught! While I use SpamAssassin as a part of my filtering, most of
my filtering is custom written and I'm beating SA's "out of the box"
configuration by a wide margin.
E-mail me directly (off-list) if you are interested and for pricing!
Rob McEwen
[EMAIL PROTECTED]
-Original Message-
From: Kelly Jones [mailto:[EMAIL PROTECTED]
Sent: Monday, April 09, 2007 10:35 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]; techtalk@linuxchix.org;
users@spamassassin.apache.org
Subject: Email service that does graylisting/razor/spamfiltering/etc?
I have about 20 domains, and any email to any of these domains
([EMAIL PROTECTED]) forwards to a single mailbox.
I handle email for all these domains myself, but it's becoming a hassle:
% dictionary attacks mean I often get the same spam repeatedly
% I'm too scared to change my SMTP config (to setup graylisting for
example) for fear of breaking something and losing email [not that
99+% of isn't spam anyway...]
% My SMTP server sometimes gets flooded w/ connections (probably not
denial-of-service-- just excess-of-spammers), delaying legit email.
In short, I want to to give up: running a mail server used to be easy,
but it's not anymore.
Is there a reliable, fairly inexpensive service that does graylisting,
razor-checking, sender address verification, RBL-checking, and other
spam filtering? Specifics:
% I'd like to set the MX records for all 20 domains to their server
and be done with it.
% I do NOT want to forward email (to a spamarrest.com address for
example). Forwarding means I still have to run my own mailserver +
nullifies RBL checks, graylisting, etc.
% I'd like the option of having challenge-response ("you sent me an
email + I don't know you -- go here and prove you're human"), but
also the option of turning it off.
% Senders should always be notified (ideally at the SMTP level) if
their message is rejected (ideally w/ a custom reject message that I
choose). Messages shouldn't just disappear.
% I'd like the ability to check my email via POP/IMAP. Size limits
are OK: I plan to download email regularly.
% Most of the email for my domains will come to just me, but I'd like
the option to forward a copy of emails to certain addresses/domains
to others. Example: email to [EMAIL PROTECTED] comes to just me, but
email to [EMAIL PROTECTED] (that makes it through the spam filter)
comes to me and a copy gets forwarded to [EMAIL PROTECTED] This feature
isn't critical: I can probably setup Pine rules/etc to do what I want
if I have to.
Any recommendations?
--
We're just a Bunch Of Regular Guys, a collective group that's trying
to understand and assimilate technology. We feel that resistance to
new ideas and technology is unwise and ultimately futile.
Re: spam test
http://hege.li/howto/spam/spamassassin.html Remove everything from Botnet.cf RULES-section and set it up this way: Does the above line mean to remove from the # THE RULES? regards
RE: FuzzyOCR Warnings and General Questions
> > I'm running Spamassassin on OpenSuse 10.2 and have just installed > FuzzyOCR. > > It appears to be working in that it scans/detects words in the supplied > test files. > > I noticed "spamassassin --lint" gives: > > [25313] warn: FuzzyOcr: Cannot find executable for pamthreshold > [25313] warn: FuzzyOcr: Cannot find executable for tesseract > > Which seems fair enough as I don't have them. > > Is it just a spurious warning though or do I need to be concerned? > > Also as a general question other than adding words to the wordlist as > and when, are there any "Must Know" tips n tricks for FuzzyOCR? > > cheers, Hi, Take a look here (http://www200.pair.com/mecham/spam/image_spam2.html) and use patches for netpbm < 10.34 Or do the following (works for me): 1) Download latest stable version: # svn checkout https://netpbm.svn.sourceforge.net/svnroot/netpbm/stable netpbm 2) Apply this patch: diff -Naur netpbm-10.35.21/Makefile.config.in netpbm-10.35.21-patched/Makefile.config.in --- netpbm-10.35.21/Makefile.config.in 2007-01-14 16:18:25.0 +0200 +++ netpbm-10.35.21-patched/Makefile.config.in 2007-01-14 16:33:59.304432096 +0200 @@ -108,7 +108,7 @@ #OSF1: #INSTALL = $(SRCDIR)/buildtools/installosf #Red Hat Linux: -#INSTALL = install +INSTALL = install # STRIPFLAG is the option you pass to the above install program to make it # strip unnecessary information out of binaries. @@ -280,9 +280,9 @@ # compiler/linker). Build-time linking fails without it. I don't # know why -- history seems to be repeating itself. 2005.02.23. -CFLAGS_SHLIB = +# CFLAGS_SHLIB = # Solaris or SunOS with gcc, and NetBSD: -#CFLAGS_SHLIB = -fpic +CFLAGS_SHLIB = -fPIC #CFLAGS_SHLIB = -fPIC # Sun compiler: #CFLAGS_SHLIB = -Kpic @@ -350,7 +350,7 @@ # The TIFF library. See above. If you want to build the tiff # converters, you must have the tiff library already installed. -TIFFLIB = NONE +TIFFLIB = libtiff.so TIFFHDR_DIR = #TIFFLIB = libtiff.so @@ -382,7 +382,7 @@ # JPEG stuff statically linked in, in which case you won't need # JPEGLIB in order to build the Tiff converters. -JPEGLIB = NONE +JPEGLIB = libjpeg.so JPEGHDR_DIR = #JPEGLIB = libjpeg.so #JPEGHDR_DIR = /usr/include/jpeg @@ -413,7 +413,7 @@ # case, PNGLIB and PNGHDR_DIR are irrelevant, but PNGVER is still meaningful, # because the make file runs 'libpng$(PNGVER)-config'. -PNGLIB = NONE +PNGLIB = libpng.so PNGHDR_DIR = PNGVER = #PNGLIB = libpng$(PNGVER).so @@ -432,7 +432,7 @@ # # If you have 'libpng-config' (see above), these are irrelevant. -ZLIB = NONE +ZLIB = libz.so ZHDR_DIR = #ZLIB = libz.so diff -Naur netpbm-10.35.21/converter/other/fiasco/codec/dfiasco.c netpbm-10.35.21-patched/converter/other/fiasco/codec/dfiasco.c --- netpbm-10.35.21/converter/other/fiasco/codec/dfiasco.c 2007-01-14 16:18:03.0 +0200 +++ netpbm-10.35.21-patched/converter/other/fiasco/codec/dfiasco.c 2007-01-14 16:37:35.780522728 +0200 @@ -15,7 +15,7 @@ */ #include - +#include #include "config.h" #include "types.h" diff -Naur netpbm-10.35.21/converter/other/fiasco/config.h netpbm-10.35.21-patched/converter/other/fiasco/config.h --- netpbm-10.35.21/converter/other/fiasco/config.h 2007-01-14 16:18:03.0 +0200 +++ netpbm-10.35.21-patched/converter/other/fiasco/config.h 2007-01-14 16:36:00.265043288 +0200 @@ -25,6 +25,12 @@ byte first (like Motorola and SPARC, unlike Intel and VAX). */ /* #undef WORDS_BIGENDIAN */ +/* since we don't have autoconf... */ +#include +#if __BYTE_ORDER == __BIG_ENDIAN +#define WORDS_BIGENDIAN 1 +#endif + /* Define if the X Window System is missing or not being used. */ #define X_DISPLAY_MISSING 1 diff -Naur netpbm-10.35.21/converter/other/fiasco/input/basis.c netpbm-10.35.21-patched/converter/other/fiasco/input/basis.c --- netpbm-10.35.21/converter/other/fiasco/input/basis.c2007-01-14 16:18:00.0 +0200 +++ netpbm-10.35.21-patched/converter/other/fiasco/input/basis.c 2007-01-14 16:38:10.711212456 +0200 @@ -13,7 +13,7 @@ * $Revision: 5.3 $ * $State: Exp $ */ - +#include #include "config.h" #include "types.h" diff -Naur netpbm-10.35.21/converter/pbm/icontopbm.c netpbm-10.35.21-patched/converter/pbm/icontopbm.c --- netpbm-10.35.21/converter/pbm/icontopbm.c 2007-01-14 16:18:22.0 +0200 +++ netpbm-10.35.21-patched/converter/pbm/icontopbm.c 2007-01-14 16:43:50.478559968 +0200 @@ -13,6 +13,7 @@ #include #include "nstring.h" +#include #include "pbm.h" /* size in bytes of a bitmap */ diff -Naur netpbm-10.35.21/converter/ppm/ppmtowinicon.c netpbm-10.35.21-patched/converter/ppm/ppmtowinicon.c --- netpbm-10.35.21/converter/ppm/ppmtowinicon.c2007-01-14 16:18:20.0 +0200 +++ netpbm-10.35.21-patched/converter/ppm/ppmtowinicon.c2007-01-14 16:46:54.505583608 +0200 @@ -12,7 +12,7 @@ #include #include - +#include #include "winico.h" #include "ppm.h" #include "mallocvar.h" diff -Naur netpbm-10.3
