RE: URIBL
I have to enable only the plugin with loadPlugin. ... and it's enabled by default, so you should be all set. :) Then I have to use the command 'urirhssub' of the plugin URIDNSBL to specify that I want to use SURBLs: ... the rules exist by default, so you should be all set. :) OK. So the SURBL on my gateway should already work.. But how could I check this fact? rocsca
Please help with rule
I am still getting some Storm Worm messages that are not being caught,
even with Sane Security / ClamAV. I thought I'd write a rule to score
any URL that has a dot exe, scr or pif extension. However, my rule is
not working. Can someone help advise what is wrong? I want it to
pickup any http or https with those extensions.
body Dangerous_URL/http{1,200}\.(?:exe|scr|pif)/i
describe Dangerous_URLDangerous URL
scoreDangerous_URL7.5
Thanks in advance!
Please help with rule
I am still getting some Storm Worm messages that are not being caught,
even with Sane Security / ClamAV. I thought I'd write a rule to score
any URL that has a dot exe, scr or pif extension. However, my rule is
not working. Can someone help advise what is wrong? I want it to
pickup any http or https with those extensions.
body Dangerous_URL/http{1,200}\.(?:exe|scr|pif)/i
describe Dangerous_URLDangerous URL
scoreDangerous_URL7.5
Thanks in advance!
Re: Low scores
* Michael Scheidell [EMAIL PROTECTED] [080223 13:46]: I feel like a lot of pretty obvious spams are getting through my system with appallingly low scores. I'm starting to wonder if something may be wrong with my setup. Looking at what spam tests did fire, I'm frequently surprised that more rules didn't fire (obvious lotto scams and nigerian inheritance scams seem to slip right by) and that the score are surprisingly low... I'd expect satisfyingly high scores for some of these, but I'm not seeing them. You using any SARES' rules? If you have the cpu cycles, try that. Also make sure you have latest SpamAssassin and are also running sa-update. If you use sa-compile, make sure you run it every time you update rules. I'm running version 3.2.3-0.volatile1 on Debian etch (it supposedly has a number of backported fixes from 3.2.4). I run sa-update every night on two channels: saupdates.openprotect.com (which contains the recommended rules in the SARE), and updates.spamassassin.org. If there is an update, I run sa-compile and then restart spamassassin. Micah
Re: Please help with rule
Untested, but try
uri EXECUTABLE_WEBSITE/\.(?:exe|scr|pif)$/i
Loren
- Original Message -
From: Dave Koontz [EMAIL PROTECTED]
To: users@spamassassin.apache.org
Sent: Saturday, February 23, 2008 6:52 AM
Subject: Please help with rule
I am still getting some Storm Worm messages that are not being caught,
even with Sane Security / ClamAV. I thought I'd write a rule to score
any URL that has a dot exe, scr or pif extension. However, my rule is
not working. Can someone help advise what is wrong? I want it to
pickup any http or https with those extensions.
body Dangerous_URL/http{1,200}\.(?:exe|scr|pif)/i
describe Dangerous_URLDangerous URL
scoreDangerous_URL7.5
Thanks in advance!
Re: Please help with rule
On Sat, February 23, 2008 15:52, Dave Koontz wrote:
I am still getting some Storm Worm messages that are not being caught,
even with Sane Security / ClamAV. I thought I'd write a rule to score
any URL that has a dot exe, scr or pif extension. However, my rule is
not working. Can someone help advise what is wrong? I want it to
pickup any http or https with those extensions.
body Dangerous_URL/http{1,200}\.(?:exe|scr|pif)/i
describe Dangerous_URLDangerous URL
scoreDangerous_URL7.5
have you tested if the antivirus plugin caught it ?
below here is what i have in postfix mime_header_checks
/filename=\?(.*)\.(bat|chm|cmd|com|do|exe|hta|jse|rm|scr|pif|vbe|vbs|vxd|xl)\?$/
REJECT For security reasons we reject attachments of this type
/^\s*Content-(Disposition|Type).*name\s*=\s*?(.+\.(cpl|lnk|asd|hlp|ocx|reg|bat|c[ho]m|cmd|exe|dll|vxd|pif|scr|hta|jse?|sh[mbs]|vb[esx]|ws[fh]|wav|mov|wmf|xl))?\s*$/
REJECT Attachment type not allowed. File $2 has the unacceptable extension
$3
take care of line wraps
Re: The 'believe-it' spams
Kathryn Allan wrote: How do you set a rule to expire? I think you could use this construct: if (conditional perl expression) rules ... endif And do a check on the date in the expression. /Per Jessen, Zürich
Re: Pbl.spamhaus.org down?
Michael Scheidell [EMAIL PROTECTED] writes: http://www.spamhaus.org/organization/dnsblusage.html says: 1. Your use of the Spamhaus DNSBLs is non-commercial*, /and/ 2. Your email traffic is less than 80,000 SMTP connections per day, /and/ 3. Your DNSBL query volume is less than 320,000 queries per day. Can't find commercial pricing, but 'corporate' pricing is $168,000 per year for unlimited use. (100,000 per year is only $10,000 per year) Corporation(Business) is $16,800 per year, not $168,000. Sven
Re: The 'believe-it' spams
Kathryn Allan wrote: Bob Proulx wrote: I just did the brute force thing and looked for an entire phrase from that message. It really isn't worthy and this will change very quickly such that any rule I post now won't be interesting to have in a ruleset in a couple of days. It needs to expire. How do you set a rule to expire? I use 'at' to set up a reminder email from cron to myself at some time in the future. $ at 8 am + 1 week at echo Remember to clean up that hacked TV_ARM_SPAM rule. | at mailx -s SA Rule Cleanup Reminder rwp ^D A week from now when I get the reminder in my mailbox I will look at things and decide what to do about it then. I prefer email for my todo lists and reminders and use this a lot. Somehow I don't think that is the answer you were expecting but it is what I do just the same. :-) Bob
mysql userpref not fetching whitelist_from
Hi, I have setup the mysql userprefs and it is working with one exception, From: addresses listed as being whitelisted in mysql are not triggering the SA whitelist scores. Other values like required_hits are being properly returned, so SA is able to connect and query mysql. I do not have the option of enabling query logging on the mysql side of things. Spamd is being invoked as follows: running as root, spamd -D -p -x -q -u mike -C /home/mike/samysql/spamd spamc is being run as user mike A clue perhaps is that for some reason the default config file /etc/mail/spamassassin/local.cf is being read despite the use of -C. (I know this since it has custom rules not present in the config I am using to test the mysql userprefs). Any pointers appreciated. Thanks.
www.expose-it spam
Regarding this spam: http://pastebin.ca/916902 , it seems we've been listwashing pretty thoroughly, I have no copies of it yet. If you have a spamtrap address that gets 100% spam (no ham), is receiving copies of this spam, isn't too high-volume, and would be willing to forward copies to our traps, could you send me a mail offlist to arrange a forward? --j.
Changing email address for these
Apologies if this hasn't been done in the right way, but I have gone to the website and couldn't find out how to do it - how do you change the email address that these get sent to please ? I will be changing email addresses and want to ensure I don't miss any posts. Any help appreciated. Chris.
Lots of queued messages.
Hi list. I'm new to the list and let me tell you that i haven't got deep knowledges about SA, so i need your help with this issue and most of all, pacience :). I'm using postfix with SpamAssassin version 3.0.6, running on Perl version 5.8.5. I noticed a time ago that the message queue of postfix was getting bigger, causing me to flush it twice per day, and a lot of spam is passing by, so at first i guessed that it was a system's resource problem, so i checked it out and it seems to be ok. Reading the FAQ, on performance tips i didn't find out something similar. Could anyone give me a hand with this issue? Thanks ps: sorry my bad english # cat local.cf # This is the right place to customize your installation of SpamAssassin. # # See 'perldoc Mail::SpamAssassin::Conf' for details of what can be # tweaked. # ### # # rewrite_header Subject *SPAM* # report_safe 1 # trusted_networks 212.17.35. # lock_method flock ok_languagesca en pt es it ok_locales en pt es use_auto_whitelist 0 razor_config /var/lib/amavis/.razor/razor-agent.conf bayes_path /var/lib/amavis/.spamassassin/bayes auto_whitelist_path /var/lib/amavis/.spamassassin/auto-whitelist whitelist_from [EMAIL PROTECTED] lock_method flock use_razor2 1 use_pyzor 1 bayes_auto_learn 1 bayes_auto_learn_threshold_nonspam 1 bayes_auto_learn_threshold_spam 6.00 score RAZOR2_CHECK 2.500 score BAYES_99 4.300 score BAYES_80 3.000 score BAYES_00 0 score STRONG_BUY 3 score SEE_FOR_YOURSELF 1 score FREE_PORN 4 score CUM_SHOT 4 score LIVE_PORN 4 score HARDCORE_PORN 4 score TRACKER_ID 2 score NO_OBLIGATION 1.5 score HOT_NASTY 4 score BEST_PORN 4 score AMATEUR_PORN 4 score PORN_CELEBRITY 4 score SUBJ_BUY 2 score RCVD_IN_NJABL_DUL 2 score RCVD_IN_SORBS_DUL 2 score ALL_TRUSTED 0 score RAZOR2_CHECK 3 score RAZOR2_CF_RANGE_51_100 3 score NO_REAL_NAME 2 score DIET_1 3 score BODY_ENHANCEMENT2 3 score BODY_ENHANCEMENT 2 score SEE_FOR_YOURSELF 1 score DRUGS_ERECTILE 4 score DRUGS_ERECTILE_OBFU 4 score SUBJ_ALL_CAPS 2 score PLING_PLING 1 score UNWANTED_LANGUAGE_BODY 8 score URIBL_SBL 4 score PRIORITY_NO_NAME 2 score TO_EMPTY 8 score URIBL_AB_SURBL 2 score RCVD_ILLEGAL_IP 4 score RCVD_HELO_IP_MISMATCH 4 score RCVD_NUMERIC_HELO 4 score URIBL_OB_SURBL 4 score SUBJECT_DRUG_GAP_VIA 5 score HTML_50_60 1 score RCVD_IN_BL_SPAMCOP_NET 5
Re: Changing email address for these
Chris wrote: Apologies if this hasn't been done in the right way, but I have gone to the website and couldn't find out how to do it - how do you change the email address that these get sent to please ? I will be changing email addresses and want to ensure I don't miss any posts. You subscribe your new address, and unsubscribe your old ditto. /Per Jessen, Zürich
RE: Changing email address for these
-Original Message- From: Per Jessen [mailto:[EMAIL PROTECTED] Sent: Monday, February 25, 2008 2:13 PM To: users@spamassassin.apache.org Subject: Re: Changing email address for these Chris wrote: Apologies if this hasn't been done in the right way, but I have gone to the website and couldn't find out how to do it - how do you change the email address that these get sent to please ? I will be changing email addresses and want to ensure I don't miss any posts. You subscribe your new address, and unsubscribe your old ditto. /Per Jessen, Zürich === Many thanks for the quick help Per - I will do that. Chris.
RE: URIBL
Quoting Rocco Scappatura [EMAIL PROTECTED]: I have to enable only the plugin with loadPlugin. ... and it's enabled by default, so you should be all set. :) Then I have to use the command 'urirhssub' of the plugin URIDNSBL to specify that I want to use SURBLs: ... the rules exist by default, so you should be all set. :) OK. So the SURBL on my gateway should already work.. But how could I check this fact? rocsca You should see many spams with the rules named SURBL hitting. You can also try: spamassassin -D message where message contains one of the testpoints: http://www.surbl.org/faq.html#test-uris Jeff C.
Re: Please help with rule
--On Saturday, February 23, 2008 23:08 -0500 Dave Koontz [EMAIL PROTECTED]
wrote:
I am still getting some Storm Worm messages that are not being caught,
even with Sane Security / ClamAV. I thought I'd write a rule to score
any URL that has a dot exe, scr or pif extension. However, my rule is
not working. Can someone help advise what is wrong? I want it to pickup
any http or https with those extensions.
body Dangerous_URL/http{1,200}\.(?:exe|scr|pif)/i
uri Dangerous_URL/http.{1,200}\.(?:exe|scr|pif)/i
I think 'body' excludes html code. You could use 'rawbody' but normally
one uses 'uri' to get links.
More importantly you need the dot before the {1,200} -- your original
matches 1 too 200 'p' characters. Loren Wilton suggested leaving out
the 'http.{1,200}'.
Note, this would match things like www.scratchy.tld unless you narrow
it further. Mimedefang is very good at matching bad file extensions,
if you feel like adding that to your system.
Joseph Brennan
Columbia University Information Technology
unsubscribe
Unsubscribe
Re: Pbl.spamhaus.org down?
http://www.spamhaus.org/organization/dnsblusage.html says: 1. Your use of the Spamhaus DNSBLs is non-commercial*, /and/ 2. Your email traffic is less than 80,000 SMTP connections per day, /and/ 3. Your DNSBL query volume is less than 320,000 queries per day. Michael Scheidell [EMAIL PROTECTED] writes: Can't find commercial pricing, but 'corporate' pricing is $168,000 per year for unlimited use. (100,000 per year is only $10,000 per year) On 25.02.08 11:00, Sven Rudolph wrote: Corporation(Business) is $16,800 per year, not $168,000. which is still too much for our compane for example :-S -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. A day without sunshine is like, night.
google running an open relay?
Based on googles standard 'we don't have any clients who would email from google' ignore bot, then what? if google doesn't have any direct clients, then does this indicate they are running an open relay? (email purports to come from Argentina (and 201.231.43.135 does.) , RDNS for first untrusted looks like google. whois on netblock shows google in US. What types of emails (besides 'gmail.com' ) email is supposed to come from google? are we going to start getting postini clients relayed through google now? If they don't even have a web site to report 'spam' or open relays to, then how would you even contact them? (this is the first untrusted received line). maybe make a meta? __FROM_GMAIL __RCV_GOOGLE and GOOGLE_RELAY !__FROM_GMAIL RCV_GOOGLE Received: from rv-out-0910.google.com (rv-out-0910.google.com [209.85.198.185]) by fl.us.spammertrap.net (Postfix) with ESMTP id F24DC2E116 for [EMAIL PROTECTED]; Mon, 25 Feb 2008 09:07:49 -0500 (EST) Received: by rv-out-0910.google.com with SMTP id f5so1286176rvb.59 for [EMAIL PROTECTED]; Mon, 25 Feb 2008 06:07:47 -0800 (PST) Received: by 10.140.251.1 with SMTP id y1mr2106744rvh.149.1203948466792; Mon, 25 Feb 2008 06:07:46 -0800 (PST) Received: from owcom2 ( [201.231.43.135]) by mx.google.com with ESMTPS id s54sm6210986rnb.10.2008.02.25.06.06.41 (version=SSLv3 cipher=RC4-MD5); Mon, 25 Feb 2008 06:07:35 -0800 (PST) Message-ID: [EMAIL PROTECTED] From: Gonzalo Caseres - Openware [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Openware Argentina Date: Mon, 25 Feb 2008 12:01:07 -0200 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary==_NextPart_000_00AE_01C877A6.1A73C3D0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2900.3138 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198 Return-Path: [EMAIL PROTECTED] -- Michael Scheidell, CTO Main: 561-999-5000, Office: 561-939-7259 *| *SECNAP Network Security Corporation Winner 2008 Technosium hot company award. www.technosium.com/hotcompanies/ http://www.technosium.com/hotcompanies/ _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: Bogus MX - blacklist service viable?
Aaron Wolfe wrote: I have 24 hours of data to play with.. at first results seemed promising. I found over 300,000 hosts that had connected only to my highest MX and did not issue a quit. But.. of that group: 96.0% are listed on spamhaus (zen, i did not breakdown onto the individual lists) 2.3% of the hosts *not* listed on spamhaus are listed on Rob McEwen's ivmSIP list (note that this is over 50% of the remaining hosts, about 10% higher than this list's hit rate with my normal mail flow). ...snip... I'm sure my quick test is not perfect. The remaining 1.7% of hosts may include some amount of non spam sources (very small if any I would guess). Also, I ran the RBL checks all at once at the end of the cycle. so some of the hits were 24 hours old. Some amount of the remainder were probably on the RBLs at the time they hit my server and were since removed Aaron, Here are my thoughts/observations: Assuming that you ran these dnsbl checks *after* the 24 hour period (as I think you are saying...), then I believe that the 96% also caught by Zen would probably be lower, not higher. IPs (from recent spam!) don't generally expire out of any lists THAT quickly, if at all. However, in contrast, there is typically a propagation delay before *some* of these get into DNSBLs. (this delay can vary widely between dnsbls). So if you ran this test after the fact, you actually gave Zen some time to catch up. You mentioned that, of these IPs that only connected to the highest MX batch, half of the IPs that Zen didn't catch were already on Rob McEwen's ivmSIP list. Thanks for the plug! But I fear that this may accidentally paint an inaccurate picture of ivmSIP. This seems to imply that half my list is made up of IPs that would be caught if someone were using the connected only to the highest MX method. (I know you didn't intend to imply this.. but there is the potential for someone to interpret it that way.) In fact, just so *others* will know, I should add that there is MUCH spams that my lists catches which the IPs that only connected to the highest MX method misses. For example, I took that last 100 ivmSIP catches and ran them against Zen. 88 of these 100 were already caught by Zen. Of the 12 left, 3 were caught by widely used and respected dnsbls: 84.79.21.212 (spamcop) 200.66.32.226 (dsbl/psbl) 212.147.5.133 (spamcop Mark Perkel's host karma list) As shown, of the 12 left, (and of these three), 1 was caught by Perkel's host karma list, which, therefore, is probably the *only* IP of these 12 that the connected only to the highest MX method would have caught. (of those not caught by zen...) While your stats show that 50% of what the connected only to the highest MX method catches was also caught by ivmSIP. These additional stats above show that the connected only to the highest MX method catches *only* 8% of the spams that ivmSIP catches (again, of those not already in Zen.) Of these twelve, 9 of them are IPs that would NOT have been caught by ANY reliable FP-safe DNSBLs, nor would these (likely) be caught by the connected only to the highest MX method. Here are those 9 uniques (for anyone to examine/critique): 79.137.219.171 79.137.223.42 79.137.225.194 79.137.231.242 79.137.233.223 79.137.235.210 79.137.235.252 79.137.237.210 213.254.194.26 9 uniques out of 100 doesn't sound impressive... and most of these were already caught by UCEPROTECT's level 3, but that is UCE's most FP-risky list... and certainly a list too FP-riskly to outright block or score high on... UCE even states that this list, probably will cause collateral damage to innocent users when used to block email But since, in contrast, ivmSIP has an extremely low FP-rate and seeks to *not* ever create collateral damage, then, unlike UCE-3, when these IPs show up in ivmSIP, they are safe to outright block (or score very high, for those who are ultra careful) without fear of FPs. (of course, during the time it took me to type this message, another 1,142 IPs were added to ivmSIP. This was an 'ad hoc snapshot... I suspect that a few of these uniques will get into other lists by the time that some people read this post. But, in the meantime, spams send from these IPs to those who use ivmSIP have been blocked.) FINAL NOTE: ivmSIP seeks to be a supplemental list focused mostly on new series of spams... and purposely skips out on listing spammer's IPs that have been in circulation for more than X number of weeks/months... therefore, Zen is going to list many IPs that ivmSIP isn't even trying to list. So ivmSIP is NOT trying to be a Zen replacment, but, instead, more of a supplement. Rob McEwen
Re: Bogus MX - blacklist service viable?
Rob McEwen wrote: Aaron Wolfe wrote: I have 24 hours of data to play with.. at first results seemed promising. I found over 300,000 hosts that had connected only to my highest MX and did not issue a quit. But.. of that group: 96.0% are listed on spamhaus (zen, i did not breakdown onto the individual lists) 2.3% of the hosts *not* listed on spamhaus are listed on Rob McEwen's ivmSIP list (note that this is over 50% of the remaining hosts, about 10% higher than this list's hit rate with my normal mail flow). ...snip... I'm sure my quick test is not perfect. The remaining 1.7% of hosts may include some amount of non spam sources (very small if any I would guess). Also, I ran the RBL checks all at once at the end of the cycle. so some of the hits were 24 hours old. Some amount of the remainder were probably on the RBLs at the time they hit my server and were since removed Aaron, Here are my thoughts/observations: Assuming that you ran these dnsbl checks *after* the 24 hour period (as I think you are saying...), then I believe that the 96% also caught by Zen would probably be lower, not higher. IPs (from recent spam!) don't generally expire out of any lists THAT quickly, if at all. However, in contrast, there is typically a propagation delay before *some* of these get into DNSBLs. (this delay can vary widely between dnsbls). So if you ran this test after the fact, you actually gave Zen some time to catch up. You mentioned that, of these IPs that only connected to the highest MX batch, half of the IPs that Zen didn't catch were already on Rob McEwen's ivmSIP list. Thanks for the plug! But I fear that this may accidentally paint an inaccurate picture of ivmSIP. This seems to imply that half my list is made up of IPs that would be caught if someone were using the connected only to the highest MX method. (I know you didn't intend to imply this.. but there is the potential for someone to interpret it that way.) In fact, just so *others* will know, I should add that there is MUCH spams that my lists catches which the IPs that only connected to the highest MX method misses. For example, I took that last 100 ivmSIP catches and ran them against Zen. 88 of these 100 were already caught by Zen. Of the 12 left, 3 were caught by widely used and respected dnsbls: 84.79.21.212 (spamcop) 200.66.32.226 (dsbl/psbl) 212.147.5.133 (spamcop Mark Perkel's host karma list) As shown, of the 12 left, (and of these three), 1 was caught by Perkel's host karma list, which, therefore, is probably the *only* IP of these 12 that the connected only to the highest MX method would have caught. (of those not caught by zen...) While your stats show that 50% of what the connected only to the highest MX method catches was also caught by ivmSIP. These additional stats above show that the connected only to the highest MX method catches *only* 8% of the spams that ivmSIP catches (again, of those not already in Zen.) Of these twelve, 9 of them are IPs that would NOT have been caught by ANY reliable FP-safe DNSBLs, nor would these (likely) be caught by the connected only to the highest MX method. Here are those 9 uniques (for anyone to examine/critique): 79.137.219.171 79.137.223.42 79.137.225.194 79.137.231.242 79.137.233.223 79.137.235.210 79.137.235.252 79.137.237.210 213.254.194.26 9 uniques out of 100 doesn't sound impressive... and most of these were already caught by UCEPROTECT's level 3, but that is UCE's most FP-risky list... and certainly a list too FP-riskly to outright block or score high on... UCE even states that this list, probably will cause collateral damage to innocent users when used to block email But since, in contrast, ivmSIP has an extremely low FP-rate and seeks to *not* ever create collateral damage, then, unlike UCE-3, when these IPs show up in ivmSIP, they are safe to outright block (or score very high, for those who are ultra careful) without fear of FPs. (of course, during the time it took me to type this message, another 1,142 IPs were added to ivmSIP. This was an 'ad hoc snapshot... I suspect that a few of these uniques will get into other lists by the time that some people read this post. But, in the meantime, spams send from these IPs to those who use ivmSIP have been blocked.) FINAL NOTE: ivmSIP seeks to be a supplemental list focused mostly on new series of spams... and purposely skips out on listing spammer's IPs that have been in circulation for more than X number of weeks/months... therefore, Zen is going to list many IPs that ivmSIP isn't even trying to list. So ivmSIP is NOT trying to be a Zen replacment, but, instead, more of a supplement. Rob McEwen Rob - you make a good point about the 24 hours after issue. I can detect the spambots in almost real time. The combination of the no quit and only hitting the highest numbered MX takes about 2 minutes. (The connection inavtivity timeout). Once detected the IP is added to a
[OT] Yahoo Deferred
Sorry for the Off Topic thread but I'm at a loss. Is anyone else having issues sending mail to Yahoo? They are returning 421 Message temporarily deferred to every message my servers try to send. My server then retries like it should but yahoo never accepts the message, even after day of retrying.Google turned up several people having the same issue but no one with a solution. My DSN is right, I have SPF records, and sign outgoing messages using DomainKeys. I've filled out every form on the yahoo support site without any luck at all. Anyone else seeing this problem or know of a way to get to a real person at yahoo? There are a few reports online that yahoo has a paid support phone number that will fix the problem but no one list a phone number, and as much as I don't want to pay yahoo just to accept my messages I'm running out of options and the customer complaints are getting more frequent every day. Tony Bunce: [EMAIL PROTECTED]mailto:[EMAIL PROTECTED] Sr. Programming Systems Administrator - GO Concepts Inc.http://www.go-concepts.com/ Phone: (513) 934-8234
Re: [OT] Yahoo Deferred
Tony Bunce wrote: Sorry for the Off Topic thread but I’m at a loss. Is anyone else having issues sending mail to Yahoo? They are returning 421 Message temporarily deferred to every message my servers try to send. My server then retries like it should but yahoo never accepts the message, even after day of retrying.Google turned up several people having the same issue but no one with a solution. My DSN is right, I have SPF records, and sign outgoing messages using DomainKeys. I’ve filled out every form on the yahoo support site without any luck at all. Anyone else seeing this problem or know of a way to get to a real person at yahoo? There are a few reports online that yahoo has a paid support phone number that will fix the problem but no one list a phone number, and as much as I don’t want to pay yahoo just to accept my messages I’m running out of options and the customer complaints are getting more frequent every day. Same here. I run or look after about 25 mail servers, located all around the world, and they all have the same problem. Strangely enough, the majority of the spam that gets through our filters is from Yahoo. I've pretty much given up on them and I tell clients who inquire or complain to ask their yahoo counterparts to use another free mail service like hotmail or gmail. Regards, Rick
Re: unsubscribe
On Mon, February 25, 2008 16:18, Chris wrote: Unsubscribe list-unsubscribe: mailto:[EMAIL PROTECTED] in squirrelmail i just press a bottom :-)
Re: [OT] Yahoo Deferred
Tony Bunce wrote: Sorry for the Off Topic thread but I’m at a loss Is anyone else having issues sending mail to Yahoo? They are returning 421 Message temporarily deferred to every message my servers try to send. My server then retries like it should but yahoo never accepts the message, even after day of retrying. Google turned up several people having the same issue but no one with a solution. My DSN is right, I have SPF records, and sign outgoing messages using DomainKeys. I’ve filled out every form on the yahoo support site without any luck at all. Anyone else seeing this problem or know of a way to get to a real person at yahoo? There are a few reports online that yahoo has a paid support phone number that will fix the problem but no one list a phone number, and as much as I don’t want to pay yahoo just to accept my messages I’m running out of options and the customer complaints are getting more frequent every day. Almost everyone. Tell your customers not to use yahoo ids :-( I dont know if there is any standard reason , But I think yahoo defers mails from an IP when there are 'n' message attempts to incorrect ids. n being too low for any practical server. Also keep your rates of delivery low .. lest you enrage the yahoo guys. ( Their server , their rules :-( ) On my servers I ratelimit yahoo deliveries and deliver thru a separate server. Also keep changing the smtp bind address. That helps a bit but yet mailq is always quiet high. We have already told our servers yahoo defers our mails so it is not in our control to get done BTW if you get any solution please share with me too :-) Thanks Ram === sms START NETCORE to 575758 to get updates on Netcore's enterprise products and services sms START MYTODAY to 09845398453 for more information on our mobile consumer services or go to http://www.mytodaysms.com ===
Re: [OT] Yahoo Deferred
Rick Macdougall schrieb: Tony Bunce wrote: Sorry for the Off Topic thread but I’m at a loss. Is anyone else having issues sending mail to Yahoo? They are returning 421 Message temporarily deferred to every message my servers try to send. My server then retries like it should but yahoo never accepts the message, even after day of retrying.Google turned up several people having the same issue but no one with a solution. My DSN is right, I have SPF records, and sign outgoing messages using DomainKeys. I’ve filled out every form on the yahoo support site without any luck at all. Anyone else seeing this problem or know of a way to get to a real person at yahoo? There are a few reports online that yahoo has a paid support phone number that will fix the problem but no one list a phone number, and as much as I don’t want to pay yahoo just to accept my messages I’m running out of options and the customer complaints are getting more frequent every day. Same here. I run or look after about 25 mail servers, located all around the world, and they all have the same problem. Strangely enough, the majority of the spam that gets through our filters is from Yahoo. I've pretty much given up on them and I tell clients who inquire or complain to ask their yahoo counterparts to use another free mail service like hotmail or gmail. Regards, Rick Hi all, big speculation yahoo wants to have domainky/dkim ? i only have yahoo.de for test and this works like charme to=[EMAIL PROTECTED], relay=g.mx.mail.yahoo.com[209.191.88.239]:25, delay=6.1, delays=4.5/0.01/0.71/0.9, dsn=2.0.0, status=sent (250 ok dirdel) nor i have reports from users which cannot deliver to yahoo.com servers and i see no mails waiting in queues waiting to them maybe your servers got in a yahoo blacklist -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
Re: [OT] Yahoo Deferred
Ditto, please share any resolve should you get one. This has been an ongoing problem for us for well over a year now. Ramprasad wrote: Tony Bunce wrote: Sorry for the Off Topic thread but I’m at a loss Is anyone else having issues sending mail to Yahoo? They are returning 421 Message temporarily deferred to every message my servers try to send. My server then retries like it should but yahoo never accepts the message, even after day of retrying. Google turned up several people having the same issue but no one with a solution. My DSN is right, I have SPF records, and sign outgoing messages using DomainKeys. BTW if you get any solution please share with me too :-) Thanks Ram
Re: [OT] Yahoo Deferred
At 08:54 25-02-2008, Tony Bunce wrote: Is anyone else having issues sending mail to Yahoo? No. They are returning 421 Message temporarily deferred to every message my servers try to send. My server then retries like it should but yahoo never accepts the message, even after day of retrying.Google turned up several people having the same issue but no one with a solution. My DSN is right, I have SPF records, and sign outgoing messages using DomainKeys. They are deferring connections from your mail servers due to spam or complaints. Regards, -sm
RE: Please help with rule
Thanks all for the info, the uri check is much better.
Joseph you were absolutely correct about it catching too wide. I modified
it to pattern check the end only and it now works a treat!
uri DANGEROUS_URL/\.(exe|scr|pif|cmd|bat|vbs|wsh)$/i
describe DANGEROUS_URLURL contains executable content
scoreDANGEROUS_URL7.5
Joseph Brennan Wrote:
--On Saturday, February 23, 2008 23:08 -0500 Dave Koontz [EMAIL PROTECTED]
wrote:
I am still getting some Storm Worm messages that are not being caught,
even with Sane Security / ClamAV. I thought I'd write a rule to score
any URL that has a dot exe, scr or pif extension. However, my rule is
not working. Can someone help advise what is wrong? I want it to pickup
any http or https with those extensions.
body Dangerous_URL/http{1,200}\.(?:exe|scr|pif)/i
uri Dangerous_URL/http.{1,200}\.(?:exe|scr|pif)/i
I think 'body' excludes html code. You could use 'rawbody' but normally
one uses 'uri' to get links.
More importantly you need the dot before the {1,200} -- your original
matches 1 too 200 'p' characters. Loren Wilton suggested leaving out
the 'http.{1,200}'.
Note, this would match things like www.scratchy.tld unless you narrow
it further. Mimedefang is very good at matching bad file extensions,
if you feel like adding that to your system.
Re: [OT] Yahoo Deferred
SM wrote: At 08:54 25-02-2008, Tony Bunce wrote: Is anyone else having issues sending mail to Yahoo? No. They are returning 421 Message temporarily deferred to every message my servers try to send. My server then retries like it should but yahoo never accepts the message, even after day of retrying. Google turned up several people having the same issue but no one with a solution. My DSN is right, I have SPF records, and sign outgoing messages using DomainKeys. They are deferring connections from your mail servers due to spam or complaints. Regards, -sm Incorrect! They rate limit everyone. If you're mail isn't being delayed, then you do not send much mail to them. This has been an issue as long as I can remember and nothing works to help. Use DKIM/Domain Keys, rotor e-mail to different ips, fill out ALL there forms and comply with all their rules. This will not put you on their whitelist and they do not have a formal feedback loop. I have formally asked that we warn our users to no use yahoo email addresses for this reason. As a matter of fact, I have been able to work with every other large e-mail provider/ ISP (AOL/Comcast/Netzero , etc...) and work out e-mail issues with them. I even have several contact numbers directly the administrators of these companies. Yahoo simply sucks in this regard and they have not yet figured out a way to properly set up restrictions so bulk e-mailers may send e-mail. If you are going to store the largest numbered e-mail accounts, then you will receive bulk mail. Randy Ramsdell
RE: [OT] Yahoo Deferred
They do have a feedback loop now: http://help.yahoo.com/l/us/yahoo/mail/postmaster/cfl-form.html?from_url=http://help.yahoo.com/l/us/yahoo/mail/postmaster/ But it takes several days to receive a reply from that form, which is just a standard reply that tells you to fill out a form and mail it in (postal mail). Even then the feedback loop is DomainKeys based instead of IP based, so for ISPs you don't know if your customers are sending spam to yahoo. At least I know that I'm not alone now, thanks for the input. I'll let everyone know if I make any headway. -Tony -Original Message- From: Randy Ramsdell [mailto:[EMAIL PROTECTED] Sent: Monday, February 25, 2008 1:51 PM Cc: users@spamassassin.apache.org Subject: Re: [OT] Yahoo Deferred SM wrote: At 08:54 25-02-2008, Tony Bunce wrote: Is anyone else having issues sending mail to Yahoo? No. They are returning 421 Message temporarily deferred to every message my servers try to send. My server then retries like it should but yahoo never accepts the message, even after day of retrying. Google turned up several people having the same issue but no one with a solution. My DSN is right, I have SPF records, and sign outgoing messages using DomainKeys. They are deferring connections from your mail servers due to spam or complaints. Regards, -sm Incorrect! They rate limit everyone. If you're mail isn't being delayed, then you do not send much mail to them. This has been an issue as long as I can remember and nothing works to help. Use DKIM/Domain Keys, rotor e-mail to different ips, fill out ALL there forms and comply with all their rules. This will not put you on their whitelist and they do not have a formal feedback loop. I have formally asked that we warn our users to no use yahoo email addresses for this reason. As a matter of fact, I have been able to work with every other large e-mail provider/ ISP (AOL/Comcast/Netzero , etc...) and work out e-mail issues with them. I even have several contact numbers directly the administrators of these companies. Yahoo simply sucks in this regard and they have not yet figured out a way to properly set up restrictions so bulk e-mailers may send e-mail. If you are going to store the largest numbered e-mail accounts, then you will receive bulk mail. Randy Ramsdell
Re: [OT] Yahoo Deferred
Tony Bunce wrote: Is anyone else having issues sending mail to Yahoo? They are returning 421 Message temporarily deferred to every message my servers try to send. My server then retries like it should but yahoo never accepts the message, even after day of retrying. Where I work, we had much the same problem. To better organize our mail system, we put all our mail servers on their own subnet, and began experiencing this. A small trickle of messages would get through, but hardly anything at all. Queues would get bigger and bigger. Filling out the forms on yahoo's website yielded no results. We ended up keeping one server on it's old IP and routing mail going to yahoo through that, since stuff coming from the old IP doesn't get deferred to the same problematic extent. Whitelisted from the days of yore, or something. -- Joaquin Lopez .!. The police were bewildered and said so.
RE: Please help with rule
-Original Message-
From: Dave Koontz [mailto:[EMAIL PROTECTED]
Sent: Sunday, 24 February 2008 5:09 p.m.
To: users@spamassassin.apache.org
Subject: Please help with rule
I am still getting some Storm Worm messages that are not being caught,
even with Sane Security / ClamAV. I thought I'd write a rule to score
any URL that has a dot exe, scr or pif extension. However, my rule is
not working. Can someone help advise what is wrong? I want it to
pickup any http or https with those extensions.
body Dangerous_URL/http{1,200}\.(?:exe|scr|pif)/i
describe Dangerous_URLDangerous URL
scoreDangerous_URL7.5
Thanks in advance!
I don't know if its standard practise on the list, but I do my
attachment filtering with Simscan, not Spamassassin, using
/var/qmail/control/simcontrol where config reads:
[EMAIL PROTECTED]:clam=yes,spam=no
[EMAIL PROTECTED]:clam=yes,spam=no
:clam=yes,spam=yes,spam_hits=20,attach=.vbs:.lnk:.scr:.wsh:.hta:.pif
The first two lines mean that for the two domains listed, there will be
no spam checking (Spamassassin), and there will be antivirus scanning
(clamav).
The last line is global configuration, so for every other site,
antivirus checking, and spamassasssin checking are switched on, plus we
block the listed attachments outright.
Sorry if you don't run Simscan, just thought I'd post my $0.2
Cheers,
Michael Hutchinson
RE: [OT] Yahoo Deferred
--- original message --- From: Tony Bunce [mailto:[EMAIL PROTECTED] Sent: Tuesday, 26 February 2008 5:54 a.m. To: users@spamassassin.apache.org Subject: [OT] Yahoo Deferred Sorry for the Off Topic thread but I'm at a loss. Is anyone else having issues sending mail to Yahoo? They are returning 421 Message temporarily deferred to every message my servers try to send. My server then retries like it should but yahoo never accepts the message, even after day of retrying. Google turned up several people having the same issue but no one with a solution. My DSN is right, I have SPF records, and sign outgoing messages using DomainKeys. I've filled out every form on the yahoo support site without any luck at all. Anyone else seeing this problem or know of a way to get to a real person at yahoo? There are a few reports online that yahoo has a paid support phone number that will fix the problem but no one list a phone number, and as much as I don't want to pay yahoo just to accept my messages I'm running out of options and the customer complaints are getting more frequent every day. Ahem. mutters stuff about yahoo, for minutes, before replying OK now I've calmed down... We have the Yahoo issue as well. It caused major problems for us as a large client of ours has a lot of workers that use Xtra (now yahoo) email addresses for home. And all of a sudden, mail stopped being delivered from the clients server to Xtra/Yahoo email boxes. We were not receiving a bounce, though, the messages were being tagged as Spam and being automatically filed under the Yahoo user's Spam folder, which they do not see unless they log into webmail. Apparently this is because of Yahoo's per-user Bayesian database. In other words, if we'd have to be willing to talk every Xtra user through logging into webmail and training the Bayes filter by telling it what messages are/aren't spam, until it properly delivers mail. Which we are not. Why should we, it's not like our clients mail server has been spamming Yahoo. I have contacted Telecom and Xtra about the issue, and they're unable to help... The situation is out of their control. Fair enough, so I tried to contact Yahoo. What a joke. By the time they've sent you a bulk mail form (which is just trying to get you to agree that you're a bulk mailer, an opportunity for them to ignore the problem) 3 or 4 times, and you agree to fill it out, and do, and wait and wait and wait, and lo and behold, nothing happens. There is no Network Operations Centre to contact at Yahoo, or if there is one, they're keeping it to themselves. This is rather irresponsible from a provider point of view. How are people supposed to report complex issues with a service, if the people you _DO_ get to talk to are just low-level help-you-with-your-email-password worker-bee's who know nothing about email delivery behind the scenes? I have tried different approaches, and let us not forget I have filled out 3 whitelist forms, and received no response from Yahoo. Their service is breaking RFC's by not delivering mail. They are ignorant towards other companies trying to use their service. I even got into a big argument with my boss about this issue, he of course couldn't understand how my hands could be tied so quickly, but what can you do when the offending people won't come to the party, or even talk to you. My recommendation, though we've not done this yet, is to direct everyone away from their email service. They obviously do not want to host people's email. If they did, they would listen/respond to other administrators, and they wouldn't be breaking rules in a negligent manner. Do away with Yahoo. Setup mail on your own domains for your users. Even if it means creating separate home addresses if they want them. Even having two addresses at one domain for one person is better than having to deal with Yahoo. [EMAIL PROTECTED] [EMAIL PROTECTED] Personally, I'd rather blacklist the whole yahoo domain, and tell our clients that Yahoo is not an acceptable email address, that they will need a real one. A real one - that delivers and receives mail, like a mail server should. Cheers Michael Hutchinson [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: ALL_TRUSTED and DOS_OE_TO_MX
On 24/02/2008 10:06 AM, giga328 wrote: Client in example is Outlook Express at 89.110.202.24 also in trusted networks. Relevant configuration lines are: trusted_networks 212.62.32.0/19 trusted_networks 89.110.192.0/18 Not that this is the cause of your problem, but I'm wondering why 89.110.192.0/18 is included in trusted_networks. Assuming there's a good reason for it to be included, why is it not included in internal_networks too? Doing so would resolve your issue (except for any clients that have their own relay... ie have their clients send to their own MSA and then smart host it to your MSA), but read on anyway. trusted_networks 213.137.96.0/19 trusted_networks 82.208.192.0/18 trusted_networks 10.0.0.0/8 internal_networks 212.62.57.32/30 msa_networks 212.62.57.116/30 msa_networks 212.62.57.156/30 msa_networks 212.62.57.36/30 MTA acting as MX is mtain1.isp.ptt.rs 212.62.57.32 and I put it in trusted and internal networks (if relevant). MTA receiving email from clients is mtaout1.isp.ptt.rs 212.62.57.36 and I put it in trusted and msa networks. With msa_networks, you can actually include your MSA as internal for better results. The problem in your case, though, is something I've felt uneasy about for a long time, is the way SA identifies trusted/internal/msa relays... it's one hop late in doing so (it bases it on the from, not the by). So if (and I'll admit I don't think this occurred to me before) you're running SA on outgoing mail on your MSA right after you receive it (it's not relayed to an intermediate machine) SA can't detect the MSA and the whole msa_networks thing doesn't work. To make things work with the way SA works now you need a header structure something like this: Received: from msa.example.com (msa.example.com [1.2.3.4]) by out-mta.example.com with ESMTP id m1O2Vcnu010976; Sat, 23 Feb 2008 21:31:39 -0500 Received: from client (client.example.net [4.3.2.1]) by msa.example.com with ESMTP id m1O2Vcnu010976; Sat, 23 Feb 2008 21:31:39 -0500 That is, you need an extra received header so that (msa.example.com [1.2.3.4]) is shown to SA. There's two ways to get the extra header... relay the mail, or forge it in what you feed to SA. You could even forge something like this (which would keep the headers sane and not require you to actually relay the mail somewhere): Received: from msa.example.com (msa.example.com [1.2.3.4]) by msa.example.com with ESMTP id m1O2Vcnu010976; Sat, 23 Feb 2008 21:31:39 -0500 Received: from client (client.example.net [4.3.2.1]) by msa.example.com with ESMTP id m1O2Vcnu010976; Sat, 23 Feb 2008 21:31:39 -0500 That is, just forge a header for a relay from the msa to itself. In your case swap msa for mtaout1 in both headers. SpamAssassin is implemented by using spamd running on machine which is also in trusted networks (if it is relevant for anything). Just for reference, unless that machine's IP shows up in Received headers (it relays or sends mail itself) it's not required. Including it won't hurt anything though. Daryl
Re: [OT] Yahoo Deferred
Michael Hutchinson wrote: --- original message --- From: Tony Bunce [mailto:[EMAIL PROTECTED] Sent: Tuesday, 26 February 2008 5:54 a.m. To: users@spamassassin.apache.org Subject: [OT] Yahoo Deferred Sorry for the Off Topic thread but I'm at a loss. Is anyone else having issues sending mail to Yahoo? They are returning 421 Message temporarily deferred to every message my servers try to send. My server then retries like it should but yahoo never accepts the message, even after day of retrying.Google turned up several people having the same issue but no one with a solution. My DSN is right, I have SPF records, and sign outgoing messages using DomainKeys. I've filled out every form on the yahoo support site without any luck at all. Anyone else seeing this problem or know of a way to get to a real person at yahoo? There are a few reports online that yahoo has a paid support phone number that will fix the problem but no one list a phone number, and as much as I don't want to pay yahoo just to accept my messages I'm running out of options and the customer complaints are getting more frequent every day. Ahem. mutters stuff about yahoo, for minutes, before replying OK now I've calmed down... We have the Yahoo issue as well. It caused major problems for us as a large client of ours has a lot of workers that use Xtra (now yahoo) email addresses for home. And all of a sudden, mail stopped being delivered from the clients server to Xtra/Yahoo email boxes. We were not receiving a bounce, though, the messages were being tagged as Spam and being automatically filed under the Yahoo user's Spam folder, which they do not see unless they log into webmail. Apparently this is because of Yahoo's per-user Bayesian database. In other words, if we'd have to be willing to talk every Xtra user through logging into webmail and training the Bayes filter by telling it what messages are/aren't spam, until it properly delivers mail. Which we are not. Why should we, it's not like our clients mail server has been spamming Yahoo. I have contacted Telecom and Xtra about the issue, and they're unable to help... The situation is out of their control. Fair enough, so I tried to contact Yahoo. What a joke. By the time they've sent you a bulk mail form (which is just trying to get you to agree that you're a bulk mailer, an opportunity for them to ignore the problem) 3 or 4 times, and you agree to fill it out, and do, and wait and wait and wait, and lo and behold, nothing happens. There is no Network Operations Centre to contact at Yahoo, or if there is one, they're keeping it to themselves. This is rather irresponsible from a provider point of view. How are people supposed to report complex issues with a service, if the people you _DO_ get to talk to are just low-level help-you-with-your-email-password worker-bee's who know nothing about email delivery behind the scenes? I have tried different approaches, and let us not forget I have filled out 3 whitelist forms, and received no response from Yahoo. Their service is breaking RFC's by not delivering mail. They are ignorant towards other companies trying to use their service. But they do deliver the mail. You've even said so above. If this is for paid for accounts, I can see there being an issue. If it is for free accounts, how do you think they make their money to support free accounts? By requiring the free accounts to login to do some things.
RE: URIBL
Quoting Rocco Scappatura [EMAIL PROTECTED]: I have to enable only the plugin with loadPlugin. ... and it's enabled by default, so you should be all set. :) Then I have to use the command 'urirhssub' of the plugin URIDNSBL to specify that I want to use SURBLs: ... the rules exist by default, so you should be all set. :) OK. So the SURBL on my gateway should already work.. But how could I check this fact? rocsca You should see many spams with the rules named SURBL hitting. You can also try: spamassassin -D message Infact.. X-Spam-Status: Yes, score=9.573 tag=2 tag2=6.2 kill=6.31 tests=[ALL_TRUSTED=-1.8, AWL=0.583, BAYES_80=2, HTML_MESSAGE=0.001, URIBL_AB_SURBL=1.86, URIBL_BLACK=1.955, URIBL_JP_SURBL=1.501, URIBL_OB_SURBL=1.5, URIBL_SBL=1.499, URIBL_SC_SURBL=0.474] SURBL works! Maybe, now is the case to set up a copy of zone locally on my server.. I ve about 1300K messages rejected per day!! Even though my customers complain a lot of false negative.. What I can do more?? Thanks, rocsca
RE: [OT] Yahoo Deferred
I have tried different approaches, and let us not forget I have filled out 3 whitelist forms, and received no response from Yahoo. Their service is breaking RFC's by not delivering mail. They are ignorant towards other companies trying to use their service. But they do deliver the mail. You've even said so above. If this is for paid for accounts, I can see there being an issue. If it is for free accounts, how do you think they make their money to support free accounts? By requiring the free accounts to login to do some things. Delivering mail via a filter we have no control of, directly to a folder the user never see's, is not delivering mail, in my book. Or a lot of people's book. It is for paid accounts, by the way. I'm not about to start seeing that what Yahoo is doing is acceptable or correct. No matter what sense you try and make of it. Cheers, Mike
Variable subject line spam.
Hi, I'm get alot of these February 77% OFF or variations (ie January 73% OFF and my guess March 75% OFF next month) thereof in the subject line for spam. The body always changes so I can't really key on this. I would like to make rule that subject line filter this type of spam. Thank you in advanced, Frank
Re: [OT] Yahoo Deferred
Is anyone else having issues sending mail to Yahoo? Yes. I have heard using Domainkeys or DKIM helps greatly? Is that true? We have not implemented it yet but do use SPF records which are much easier to implement with Exim or any MTA and do mostly the same thing if you ask me. Matt
Re: Variable subject line spam.
I'm get alot of these February 77% OFF or variations (ie January 73% OFF and my guess March 75% OFF next month) thereof in the subject line for spam. The body always changes so I can't really key on this. I would like to make rule that subject line filter this type of spam. I have never seen one of these, so just going from your description I can write a rule. Whether it will match your actual spam (which I havne't seen) I can't say. header MO_PERCENT_OFF Subject =~ /(?:January|February|March|April|May)\s+\d\d\%\s+OFF\b/i The above will cover you for about the first half of the year, add more months as necessary. Loren
Re: Variable subject line spam.
fchan wrote: I'm get alot of these February 77% OFF or variations (ie January 73% OFF and my guess March 75% OFF next month) thereof in the subject line for spam. Is that from Kohls? I have been annoyed with their spam quite a bit lately. But I wouldn't block based upon the subject because I think it would be too likely to have false positives on other mail. Subject: 50% Off Sale, Wednesday Only Subject: January Savings Sale + Free Shipping Subject: Hurry, Bonus Buys End Monday Subject: Two-Day Sale + Free Shipping Ends Wednesday Subject: Shop Clearance Save up to 80%! Subject: FREE Shipping ends Saturday! I blacklisted the sender. I eventually hope to have them respond to my mailings to their abuse address and have them clean up their act. I actually think they are an okay company that has simply fallen into using a bad marketing company. I am hoping they clean up and go straight. Bob
Re: Pbl.spamhaus.org down?
Duane Hill wrote: On Fri, 22 Feb 2008 17:02:11 -0800 Bob Amen [EMAIL PROTECTED] wrote: Michael Scheidell wrote: Works fine for me. Are you sure you weren't blocked? In fact, I found several sites (different networks, not mine) where it doesn't work. (I don't query more than 10,000 per day) The one that works best is the one that is doing 150K queries per day. Figure that. tried: each and every one of them. Am I blocked? Did I piss someone off? Im not blocked because of 'excessive' use. Quite possibly. I think they're getting stricter regarding their fair use policy. One of my servers was blocked while another wasn't even though the latter was just as high volume. I suspect the other server would have been blocked had I not opted for their paid service. So, you have paid for their services? Per their agreement, you should be able to distribute the zones across servers within your organization. That is what we are doing. Our SpamHaus zones _ONLY_ resolve within our network (not to the outside world). Yes, that's what we do. The blockage was before we decided to buy their services. Bob -- Bob Amen O'Reilly Media, Inc. http://www.ora.com/ http://www.oreilly.com/
Large spam IP list - was Re: Bogus MX - blacklist service viable?
79.137.219.171 79.137.223.42 79.137.225.194 79.137.231.242 79.137.233.223 79.137.235.210 79.137.235.252 79.137.237.210 Slightly off subject, This list of class Cs appears to be a HUGE block 79.137.170ish.0/24 - 79.137.240.0ish a russian spam gang. They appear to right now be using the odd ending class/24s. I suspect they will be using the evens in the next few weeks. -L -- Larry Ludwig Empowering Media 1-866-792-0489 x600 Managed and Unmanaged Xen VPSes http://www.hostcube.com/
Re: google running an open relay?
On Monday 25 February 2008 9:34 am, Michael Scheidell wrote: Based on googles standard 'we don't have any clients who would email from google' ignore bot, then what? if google doesn't have any direct clients, then does this indicate they are running an open relay? (email purports to come from Argentina (and 201.231.43.135 does.) , RDNS for first untrusted looks like google. whois on netblock shows google in US. What types of emails (besides 'gmail.com' ) email is supposed to come from google? are we going to start getting postini clients relayed through google now? If they don't even have a web site to report 'spam' or open relays to, then how would you even contact them? (this is the first untrusted received line). I received the below from Google ref one of my spam reports, some content has been snipped: Thank you for your note. This is an automated reply. If you're reporting a spam email with a Google return address, please be assured that it did not originate with Google. Google does not permit others to send unsolicited email through its mail servers. This was sent from From: Google Help [EMAIL PROTECTED] I replied to them with the message headers and what I thought to be evidence that this spam in fact did come from a Google account. I use a formail recipe that adds the senders IP, ASN and CIDR to the end of all messages. This is what was shown for the spam from Google: X-SenderIP: 72.14.204.239 X-ASN: ASN-15169 X-CIDR: 72.14.204.0/23 Looking up the senders IP gave this result: [EMAIL PROTECTED] ~]$ nslookup 72.14.204.239 Server: 127.0.0.1 Address: 127.0.0.1#53 Non-authoritative answer: 239.204.14.72.in-addr.arpa name = qb-out-0506.google.com. Authoritative answers can be found from: 204.14.72.in-addr.arpa nameserver = ns2.google.com. 204.14.72.in-addr.arpa nameserver = ns3.google.com. 204.14.72.in-addr.arpa nameserver = ns1.google.com. 204.14.72.in-addr.arpa nameserver = ns4.google.com. ns1.google.com internet address = 216.239.32.10 ns2.google.com internet address = 216.239.34.10 ns3.google.com internet address = 216.239.36.10 ns4.google.com internet address = 216.239.38.10 The script that I run to report spam to NANAS and to the offending messages ISP's abuse addresses gave this result: Spam IP: 72.14.204.239 (qb-out-0506.google.com) Base domain: google.com Message ID: [EMAIL PROTECTED] ASN (0): 15169 - CIDR: 72.14.204.0/23 ASN Org (0): Google, Inc Spamhaus: IPWHOIS: SpamCop: Relays VISI: Composite BL: Dynablock BL: DSBL Proxy: DSBL Multihop: SORBS OR: SPEWS L1: SPEWS L2: RFCI P'master: RFCI Abuse: RFCI WHOIS: RFCI BogusMX: WHOIS Addrs (IP): [EMAIL PROTECTED] ASN Addrs: RFCI WHOIS: WHOIS addresses (google.com): Abuse.net addresses (google.com): [EMAIL PROTECTED] Skipping recursed domains Ignore addresses: Recipients: [EMAIL PROTECTED], [EMAIL PROTECTED] Recursed recipients: Reporting to [EMAIL PROTECTED], [EMAIL PROTECTED] ...with: Spam report: (72.14.204.239) Queen Elizabeths The Sec II Foundation Whether the report to abuse@ and postmaster@ did any good I don't know, however, I haven't heard back from them. This will also give you abuse addresses for different domains: [EMAIL PROTECTED] ~]$ telnet whois.abuse.net 43 Trying 208.31.42.95... Connected to whois.abuse.net (208.31.42.95). Escape character is '^]'. google.com [EMAIL PROTECTED] (for google.com) If this was too much information, my apologies -- Chris KeyID 0xE372A7DA98E6705C pgplpEmC9FDtL.pgp Description: PGP signature
RE: [OT] Yahoo Deferred
I have heard using Domainkeys or DKIM helps greatly? Is that true? So far DomainKeys has not helped from what I can tell. Yahoo is deferring the message as soon as my server connects, so it never even gets a chance to see the DomainKeys header. -Tony B
Re: [OT] Yahoo Deferred
Do you get through to Yahoo Groups?
Does the reverse address work correctly?
For grins I'd look at how Earthlink.net handles their smtp sending and
addressing. There might be a useful hint there. They do get through. So
does DSLExtreme.com.
{^_^}
- Original Message -
From: Tony Bunce [EMAIL PROTECTED]
Sent: Monday, 2008, February 25 21:07
I have heard using Domainkeys or DKIM helps greatly? Is that
true?
So far DomainKeys has not helped from what I can tell.
Yahoo is deferring the message as soon as my server connects, so it never
even gets a chance to see the DomainKeys header.
-Tony B
Re: [OT] Yahoo Deferred
We have been experiencing this problem for about a year now. It normally lasts for about a month and then clears with no explanation and no corrective action taken on our part. I thought that maybe yahoo were experiencing load issues and targeted certain TLDs (in our case .co.za) to alleviate load. This is just a guess as it makes no sense to defer mail that they believe is spam. Why not just reject it? Over the last year we have sent numerous queries and complains to yahoo with never a meaningful response. Interestingly when this problem first occurred, mid 2007, there were some other providers exhibiting the same behavior; netzero.com, bellsouth.net and charter.net among others that I don't recall at present. Thankfully all of these secondary offenders desisted after the first or second outbreak. But yahoo, well they are persistent. At this stage I am not even looking for a solution, just an explanation would be nice. mike P.S. what chance that M$ will improve the situation? On Mon, Feb 25, 2008 at 6:54 PM, Tony Bunce [EMAIL PROTECTED] wrote: Sorry for the Off Topic thread but I'm at a loss. Is anyone else having issues sending mail to Yahoo? They are returning 421 Message temporarily deferred to every message my servers try to send. My server then retries like it should but yahoo never accepts the message, even after day of retrying.Google turned up several people having the same issue but no one with a solution. My DSN is right, I have SPF records, and sign outgoing messages using DomainKeys. I've filled out every form on the yahoo support site without any luck at all. Anyone else seeing this problem or know of a way to get to a real person at yahoo? There are a few reports online that yahoo has a paid support phone number that will fix the problem but no one list a phone number, and as much as I don't want to pay yahoo just to accept my messages I'm running out of options and the customer complaints are getting more frequent every day. * -- * *Tony Bunce: [EMAIL PROTECTED] Sr. Programming Systems Administrator – GO Concepts Inc.http://www.go-concepts.com/ *Phone:* (513) 934-8234
Re: Lots of queued messages.
Federico Raúl López Sarmiento wrote: Hi list. I'm new to the list and let me tell you that i haven't got deep knowledges about SA, so i need your help with this issue and most of all, pacience :). I'm using postfix with SpamAssassin version 3.0.6, running on Perl version 5.8.5. I noticed a time ago that the message queue of postfix was getting bigger, causing me to flush it twice per day, and a lot of spam is passing by, so at first i guessed that it was a system's resource problem, so i checked it out and it seems to be ok. Reading the FAQ, on performance tips i didn't find out something similar. Could anyone give me a hand with this issue? Thanks In general, your config looks fine, or at least I don't see anything that should be causing performance issues. Your SA version is rather old, but that shouldn't be causing a slowdown. I'd check to make sure you're not grinding into your swap partition (run the free command.. at the very least the free in the +buffers/cache line should be greater than the used on the swap line. (ie: using the swap isn't a problem, as long as there's enough physical memory around to cover it, should it be needed in memory.. Most OSes will swap out memory that hasn't been used in a long time in order to increase cache size..) you might also want to check for network timeouts.. try running an email through spamassassin -D.. Note where in the debug any significant pauses occur..
Unsubscribe
Unsubscribe
Re: [OT] Yahoo Deferred
Hi, I had the same problem before and needed to contact yahoo.com postmaster and they resolved it within one day. Here is the yahoo.com postmaster URL: http://help.yahoo.com/l/us/yahoo/mail/postmaster/ Click on Contact Customer Care and select Delivery Issues. I hope this helps. Frank Sorry for the Off Topic thread but I'm at a loss. Is anyone else having issues sending mail to Yahoo? They are returning 421 Message temporarily deferred to every message my servers try to send. My server then retries like it should but yahoo never accepts the message, even after day of retrying. Google turned up several people having the same issue but no one with a solution. My DSN is right, I have SPF records, and sign outgoing messages using DomainKeys. I've filled out every form on the yahoo support site without any luck at all. Anyone else seeing this problem or know of a way to get to a real person at yahoo? There are a few reports online that yahoo has a paid support phone number that will fix the problem but no one list a phone number, and as much as I don't want to pay yahoo just to accept my messages I'm running out of options and the customer complaints are getting more frequent every day. Tony Bunce: mailto:[EMAIL PROTECTED][EMAIL PROTECTED] Sr. Programming Systems Administrator - http://www.go-concepts.com/GO Concepts Inc. Phone: (513) 934-8234
Re: --max-children setting, consider raising it
Hi, I don't mind taking RAM since I have 3GB. I can raise the amount of child processes and I wanted to find out how much RAM does each child takes so I can decide how many max children to raise it without killing my system. Also I would like to check where to raise the max-child and I was doing in my /etc/rc.d/init.d/spamd on my RedHat linux system. spamd -d -m 20 -H I'm having 20 max child processes now and curious why I'm still seeing these messages. Thank you, Frank --max-children setting, consider raising it I'm still getting these error messages in my log: server reached --max-children setting, consider raising it You get that message if your spamd has less children than you mail server has smtp threads. I have only --max-children 2 and the limit gets hit very often.. But I don't care. Each spamd child takes his part of RAM and I'm not willing to give them more than 2. Mail just gets serialized, but it gets done too. You can lower you mail server threads, or raise your --max-children.. it all depends how much ram you have. But SpamAssassin certainly works fine while those messages get logged. When max-children setting is reached, the messages are put in queue, and server later when childs are ready.
