Re: New Spammer?
Heh, I use the ClamAV plugin for SA and give it a hefty score. That way I get the best of both worlds. Creative use of BLs also helps. Very pleased with ClamAV too, but just ClamAV is not enough for us. The last hours some virus-types were not recognized by ClamAV, even not with the most recent database (just submitted the samples to clamav). Luckily they were catched because we allow only password-protected zip files if they contain executable files. And we have 4 other virus-scanners on our exchange-server. The virus-types change so fast now that ClamAV has difficulty to keep up. Regards Menno van Bennekom
RE: New Spammer?
From: Menno van Bennekom [mailto:[EMAIL PROTECTED] Heh, I use the ClamAV plugin for SA and give it a hefty score. That way I get the best of both worlds. Creative use of BLs also helps. Very pleased with ClamAV too, but just ClamAV is not enough for us. The last hours some virus-types were not recognized by ClamAV, even not with the most recent database (just submitted the samples to clamav). Luckily they were catched because we allow only password-protected zip files if they contain executable files. And we have 4 other virus-scanners on our exchange-server. The virus-types change so fast now that ClamAV has difficulty to keep up. It's always good to have multiple layers. We have ClamAV on the mail server and Symantec Corporate Edition on the desktops. I haven't had any problems with Clam. We had a few Sober.U get through before the definitions updated, but that's expected with a new virus on any AV program (unfortunately). I have Clam installed with all the default options and I run freshclam a few times a day to keep it updated. It just works. Bowie
Re: New Spammer?
On Wednesday 23 Nov 2005 15:07, Bowie Bailey wrote: It's always good to have multiple layers. We have ClamAV on the mail server and Symantec Corporate Edition on the desktops. I haven't had any problems with Clam. We had a few Sober.U get through before the definitions updated, but that's expected with a new virus on any AV program (unfortunately). A minor counter-point. $dayjob involves scanning the mail for quite a few people for viruses and spam. We have 4 commercial AV engines, acting as defense in depth. Viruses still make it past. I just tested an early copy of Sober-Z/U/whatever-it-is that made it past all 4 against an out-of-date (over 2 weeks) copy of NOD32, with only heuristics engaged. It caught it. Granted, it's the same family of virus, but it's still somewhat impressive. Heuristics aren't everything, but they do work damn well some times :)
RE: New Spammer?
From: Duncan Hill [mailto:[EMAIL PROTECTED] On Wednesday 23 Nov 2005 15:07, Bowie Bailey wrote: It's always good to have multiple layers. We have ClamAV on the mail server and Symantec Corporate Edition on the desktops. I haven't had any problems with Clam. We had a few Sober.U get through before the definitions updated, but that's expected with a new virus on any AV program (unfortunately). A minor counter-point. $dayjob involves scanning the mail for quite a few people for viruses and spam. We have 4 commercial AV engines, acting as defense in depth. Viruses still make it past. I just tested an early copy of Sober-Z/U/whatever-it-is that made it past all 4 against an out-of-date (over 2 weeks) copy of NOD32, with only heuristics engaged. It caught it. Granted, it's the same family of virus, but it's still somewhat impressive. Heuristics aren't everything, but they do work damn well some times :) Agreed. Our desktops with SAV have heuristics enabled. None of the Sober viruses made it onto a desktop where they could have been scanned, so I don't know if SAV would have caught it or not. My points in the previous email were just: 1) ClamAV works very well here, so if it's missing a whole group of viruses for someone, there's probably something else going on. 2) It's normal for any AV program to miss a few at the beginning of an outbreak. Heuristics can help with point 2, but you can't depend on them. Bowie
Re: New Spammer?
On Tuesday 22 Nov 2005 14:56, Casey King wrote: messages are receiving. I start tagging spam, at 3.5 so each message has been tagged, but still sent through. Any one else seeing these emails? New Sober outbreak, not spam, virus. Just junk them totally, stripping is a waste of time for Sober (and most other W32/* viruses).
Re: New Spammer?
At 09:56 AM 11/22/2005, Casey King wrote: This morning we have been getting drilled by spam/virus emails. Are they spam, or viruses? Not the same thing. 40 so far. I should be so lucky to see as few as 40/hour during any kind of outbreak Been getting a lot of phone calls from across the company about these emails. At least my mailscanner boxes are stripping the files, and tagging it as spam, but what worries me, is the low scores these messages are receiving. SpamAssassin is a spam scanner. It's official policy is to EXPLICITLY not care about virus emails. No effort is made to try to catch them, because doing so would dilute the scores of the spam ruleset. No effort is made to try to avoid tagging them either. They're just removed from the corpus and handled by the developers as if they don't exist. I start tagging spam, at 3.5 so each message has been tagged, but still sent through. Any one else seeing these emails? I see plenty of viruses, and never give them a mind. My selective greylisting helps, but so far this morning my mailscanner still got 20 of them. There was also a steep burst last Weds, 18 of them, which then leveled off through the rest of the day. *shrug*.. tell your users in a broadcast email that there is a virus outbreak, but to not be concerned unless they have a message that looks like a virus and isn't tagged. You might also want to include some standard educational notes about viruses and their auto-sending, auto-forging habits.
RE: New Spammer?
Matt, You are right, these are viruses being sent. I have been working with SA for about 6 months now, and I must say...originally I was confused about the 'features' of SA, but have since learned that SA has nothing to do with viruses. I probably eluded to the idea that I was worried SA wasn't scoring high enough; hence, making everything think that I felt SA should give a higher score b/c of the virus attached, but that is not what I was getting at. You are also right that I need to send an email out to the users, and let them know about the virus outbreak. No message has made it through without being tagged, so the servers are working as they should. I mainly sent out the email to see if others were seeing an influx also. Thanks for the information. As always, if it were not for this active mailing list, I would not be as knowledgeable as I am now...but I would still be considered a novice, much like what you and Julian have been discussing on the MailScanner list. Casey -Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 22, 2005 9:47 AM To: Casey King; SpamAssassin Users Subject: Re: New Spammer? At 09:56 AM 11/22/2005, Casey King wrote: This morning we have been getting drilled by spam/virus emails. Are they spam, or viruses? Not the same thing. 40 so far. I should be so lucky to see as few as 40/hour during any kind of outbreak Been getting a lot of phone calls from across the company about these emails. At least my mailscanner boxes are stripping the files, and tagging it as spam, but what worries me, is the low scores these messages are receiving. SpamAssassin is a spam scanner. It's official policy is to EXPLICITLY not care about virus emails. No effort is made to try to catch them, because doing so would dilute the scores of the spam ruleset. No effort is made to try to avoid tagging them either. They're just removed from the corpus and handled by the developers as if they don't exist. I start tagging spam, at 3.5 so each message has been tagged, but still sent through. Any one else seeing these emails? I see plenty of viruses, and never give them a mind. My selective greylisting helps, but so far this morning my mailscanner still got 20 of them. There was also a steep burst last Weds, 18 of them, which then leveled off through the rest of the day. *shrug*.. tell your users in a broadcast email that there is a virus outbreak, but to not be concerned unless they have a message that looks like a virus and isn't tagged. You might also want to include some standard educational notes about viruses and their auto-sending, auto-forging habits.
Re: New Spammer?
From: Matt Kettler [EMAIL PROTECTED] At 09:56 AM 11/22/2005, Casey King wrote: This morning we have been getting drilled by spam/virus emails. Are they spam, or viruses? Not the same thing. 40 so far. I should be so lucky to see as few as 40/hour during any kind of outbreak Been getting a lot of phone calls from across the company about these emails. At least my mailscanner boxes are stripping the files, and tagging it as spam, but what worries me, is the low scores these messages are receiving. SpamAssassin is a spam scanner. It's official policy is to EXPLICITLY not care about virus emails. No effort is made to try to catch them, because doing so would dilute the scores of the spam ruleset. No effort is made to try to avoid tagging them either. They're just removed from the corpus and handled by the developers as if they don't exist. Heh, I use the ClamAV plugin for SA and give it a hefty score. That way I get the best of both worlds. Creative use of BLs also helps. {^_^}
Re: New Spammer?
Where are BLs setup at? Thanks in advance.. Regards .. Leonard Bernstein - | Email [EMAIL PROTECTED] | Mobile (917) 807-3883 | BlackBerry PIN 40082120 | Technology Consultant - - Original Message - From: jdow [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Tuesday, November 22, 2005 5:37 PM Subject: Re: New Spammer? From: Matt Kettler [EMAIL PROTECTED] At 09:56 AM 11/22/2005, Casey King wrote: This morning we have been getting drilled by spam/virus emails. Are they spam, or viruses? Not the same thing. 40 so far. I should be so lucky to see as few as 40/hour during any kind of outbreak Been getting a lot of phone calls from across the company about these emails. At least my mailscanner boxes are stripping the files, and tagging it as spam, but what worries me, is the low scores these messages are receiving. SpamAssassin is a spam scanner. It's official policy is to EXPLICITLY not care about virus emails. No effort is made to try to catch them, because doing so would dilute the scores of the spam ruleset. No effort is made to try to avoid tagging them either. They're just removed from the corpus and handled by the developers as if they don't exist. Heh, I use the ClamAV plugin for SA and give it a hefty score. That way I get the best of both worlds. Creative use of BLs also helps. {^_^}
Re: New Spammer?
jdow wrote: Heh, I use the ClamAV plugin for SA and give it a hefty score. That way I get the best of both worlds. Creative use of BLs also helps. Local blackists help a lot. If you figure most viruses are going to be sent directly from client PCs, and most of 'em are going to try repeatedly, a temporary block on any* IP that sends you a virus can save a whole lot of connection time, bandwidth, and scanning time. *You want some safeguards, of course. Don't blacklist your upstream mail server, if you have one. Don't blacklist known forwarders. We only block IPs that appear to be DSL/cable modems and do not appear to be mail servers, plus we have a whitelist (in the don't-block-it sense, not in the accept-everything sense) of sites known to forward to our users, and we clear the blocks nightly. I expect greylisting would be similarly effective. -- Kelson Vibber SpeedGate Communications www.speed.net
Re: New Spammer?
Nowhere if he has no trusted network setup. That's his problem in a nutshell. He cannot usefully run network tests. {^_^} - Original Message - From: Leonard SA [EMAIL PROTECTED] Where are BLs setup at? Thanks in advance.. Regards .. Leonard Bernstein - | Email [EMAIL PROTECTED] | Mobile (917) 807-3883 | BlackBerry PIN 40082120 | Technology Consultant - - Original Message - From: jdow [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Tuesday, November 22, 2005 5:37 PM Subject: Re: New Spammer? From: Matt Kettler [EMAIL PROTECTED] At 09:56 AM 11/22/2005, Casey King wrote: This morning we have been getting drilled by spam/virus emails. Are they spam, or viruses? Not the same thing. 40 so far. I should be so lucky to see as few as 40/hour during any kind of outbreak Been getting a lot of phone calls from across the company about these emails. At least my mailscanner boxes are stripping the files, and tagging it as spam, but what worries me, is the low scores these messages are receiving. SpamAssassin is a spam scanner. It's official policy is to EXPLICITLY not care about virus emails. No effort is made to try to catch them, because doing so would dilute the scores of the spam ruleset. No effort is made to try to avoid tagging them either. They're just removed from the corpus and handled by the developers as if they don't exist. Heh, I use the ClamAV plugin for SA and give it a hefty score. That way I get the best of both worlds. Creative use of BLs also helps. {^_^}
Re: New Spammer?
J, sorry about that offline email .. :( Thanks for the answer also. I will definitely make some changes to adjust a more secure setup .. Regards .. Leonard - Original Message - From: jdow [EMAIL PROTECTED] To: Leonard SA [EMAIL PROTECTED] Sent: Tuesday, November 22, 2005 8:09 PM Subject: Re: New Spammer? That is the general format. I do not have your original message to know if the data is correct. It almost looks like you are trusting WAY too much at the 70.119. part. Trust only the mail server(s) from which you expect to never forge emails itself. In my case I trust the set of mail servers earthlink lumps as pop3.earthlink.net outside of the local network. {^_^} - Original Message - From: Leonard SA [EMAIL PROTECTED] To: jdow [EMAIL PROTECTED] Sent: 2005 November, 22, Tuesday 16:38 Subject: Re: New Spammer? J, Is the trusted_network your speaking of in the local.cf file as I have below? trusted_networks192.168.2. 127.0.0.1 70.119. I also use badmailfrom which will block mail at the SMTP level .. is SA able to stop spam with some sort of BL / WL rules? Regards .. Leonard - Original Message - From: jdow [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Tuesday, November 22, 2005 6:23 PM Subject: Re: New Spammer? Nowhere if he has no trusted network setup. That's his problem in a nutshell. He cannot usefully run network tests. {^_^} - Original Message - From: Leonard SA [EMAIL PROTECTED] Where are BLs setup at? Thanks in advance.. Regards .. Leonard Bernstein - | Email [EMAIL PROTECTED] | Mobile (917) 807-3883 | BlackBerry PIN 40082120 | Technology Consultant - - Original Message - From: jdow [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Tuesday, November 22, 2005 5:37 PM Subject: Re: New Spammer? From: Matt Kettler [EMAIL PROTECTED] At 09:56 AM 11/22/2005, Casey King wrote: This morning we have been getting drilled by spam/virus emails. Are they spam, or viruses? Not the same thing. 40 so far. I should be so lucky to see as few as 40/hour during any kind of outbreak Been getting a lot of phone calls from across the company about these emails. At least my mailscanner boxes are stripping the files, and tagging it as spam, but what worries me, is the low scores these messages are receiving. SpamAssassin is a spam scanner. It's official policy is to EXPLICITLY not care about virus emails. No effort is made to try to catch them, because doing so would dilute the scores of the spam ruleset. No effort is made to try to avoid tagging them either. They're just removed from the corpus and handled by the developers as if they don't exist. Heh, I use the ClamAV plugin for SA and give it a hefty score. That way I get the best of both worlds. Creative use of BLs also helps. {^_^}
Re: New Spammer?
The key to understanding trusted is that these are mail transfer agents that you can trust not to forge headers. If you fetch from an ISP then it is, perforce, the ISP's pop3 or imap client through which you fetch mail with the fetchmail utility or equivalent. Such is my case. If you run an smtp server yourself and receive from the world then that server, by all its known addresses, is the extent of your trusted network. These are NOT collections of addresses you trust not to spam you. They ARE a very few addresses that can be trusted not to forge headers and nothing more. That is why the bl tests throw up their hands and fail if trusted_networks is set wrong. It has to find at least ONE header, starting from the bottom, that it trusts. From the last address working upwards in the Received headers it can't trust so it performs the lookup. If I remember correctly you were hitting ALL_TRUSTED. That is an indication that you have this setup messed up. Misunderstanding the use of the trusted_network concept is usually the problem. If you CAN change the local.cf then with a little work Bob's your uncle. (I remember my fortunately brief struggle with this. At the moment mine looks much like this: trusted_networks 127/8 207.217.121/24 internal_networks 192.168/16 The 207 address space I accept is where Earthlink.net's pop3 servers live. I use fetchmail from them. I hope this helps. {^_^} - Original Message - From: Leonard SA [EMAIL PROTECTED] J, sorry about that offline email .. :( Thanks for the answer also. I will definitely make some changes to adjust a more secure setup .. Regards .. Leonard - Original Message - From: jdow [EMAIL PROTECTED] That is the general format. I do not have your original message to know if the data is correct. It almost looks like you are trusting WAY too much at the 70.119. part. Trust only the mail server(s) from which you expect to never forge emails itself. In my case I trust the set of mail servers earthlink lumps as pop3.earthlink.net outside of the local network. {^_^} - Original Message - From: Leonard SA [EMAIL PROTECTED] J, Is the trusted_network your speaking of in the local.cf file as I have below? trusted_networks192.168.2. 127.0.0.1 70.119. I also use badmailfrom which will block mail at the SMTP level .. is SA able to stop spam with some sort of BL / WL rules? Regards .. Leonard - Original Message - From: jdow [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Tuesday, November 22, 2005 6:23 PM Subject: Re: New Spammer? Nowhere if he has no trusted network setup. That's his problem in a nutshell. He cannot usefully run network tests. {^_^} - Original Message - From: Leonard SA [EMAIL PROTECTED] Where are BLs setup at? Thanks in advance.. Regards .. Leonard Bernstein - | Email [EMAIL PROTECTED] | Mobile (917) 807-3883 | BlackBerry PIN 40082120 | Technology Consultant - - Original Message - From: jdow [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Tuesday, November 22, 2005 5:37 PM Subject: Re: New Spammer? From: Matt Kettler [EMAIL PROTECTED] At 09:56 AM 11/22/2005, Casey King wrote: This morning we have been getting drilled by spam/virus emails. Are they spam, or viruses? Not the same thing. 40 so far. I should be so lucky to see as few as 40/hour during any kind of outbreak Been getting a lot of phone calls from across the company about these emails. At least my mailscanner boxes are stripping the files, and tagging it as spam, but what worries me, is the low scores these messages are receiving. SpamAssassin is a spam scanner. It's official policy is to EXPLICITLY not care about virus emails. No effort is made to try to catch them, because doing so would dilute the scores of the spam ruleset. No effort is made to try to avoid tagging them either. They're just removed from the corpus and handled by the developers as if they don't exist. Heh, I use the ClamAV plugin for SA and give it a hefty score. That way I get the best of both worlds. Creative use of BLs also helps. {^_^}
Re: New Spammer?
J, Outstanding explanation :) Thank you.. I don't have the all_trusted setting; just the trusted_networks and the internal_networks .. I've made some adjustment to the other IP address with too much weight since this is a static IP and I can place the full address as a trusted network. This is my home static IP. the server is owned by me, runs publicly. is a qmail, apache, etc server.. so I can control it as necessary .. Thanks again for all of your help Regards .. Leonard - Original Message - From: jdow [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Tuesday, November 22, 2005 9:41 PM Subject: Re: New Spammer? The key to understanding trusted is that these are mail transfer agents that you can trust not to forge headers. If you fetch from an ISP then it is, perforce, the ISP's pop3 or imap client through which you fetch mail with the fetchmail utility or equivalent. Such is my case. If you run an smtp server yourself and receive from the world then that server, by all its known addresses, is the extent of your trusted network. These are NOT collections of addresses you trust not to spam you. They ARE a very few addresses that can be trusted not to forge headers and nothing more. That is why the bl tests throw up their hands and fail if trusted_networks is set wrong. It has to find at least ONE header, starting from the bottom, that it trusts. From the last address working upwards in the Received headers it can't trust so it performs the lookup. If I remember correctly you were hitting ALL_TRUSTED. That is an indication that you have this setup messed up. Misunderstanding the use of the trusted_network concept is usually the problem. If you CAN change the local.cf then with a little work Bob's your uncle. (I remember my fortunately brief struggle with this. At the moment mine looks much like this: trusted_networks 127/8 207.217.121/24 internal_networks 192.168/16 The 207 address space I accept is where Earthlink.net's pop3 servers live. I use fetchmail from them. I hope this helps. {^_^} - Original Message - From: Leonard SA [EMAIL PROTECTED] J, sorry about that offline email .. :( Thanks for the answer also. I will definitely make some changes to adjust a more secure setup .. Regards .. Leonard - Original Message - From: jdow [EMAIL PROTECTED] That is the general format. I do not have your original message to know if the data is correct. It almost looks like you are trusting WAY too much at the 70.119. part. Trust only the mail server(s) from which you expect to never forge emails itself. In my case I trust the set of mail servers earthlink lumps as pop3.earthlink.net outside of the local network. {^_^} - Original Message - From: Leonard SA [EMAIL PROTECTED] J, Is the trusted_network your speaking of in the local.cf file as I have below? trusted_networks192.168.2. 127.0.0.1 70.119. I also use badmailfrom which will block mail at the SMTP level .. is SA able to stop spam with some sort of BL / WL rules? Regards .. Leonard - Original Message - From: jdow [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Tuesday, November 22, 2005 6:23 PM Subject: Re: New Spammer? Nowhere if he has no trusted network setup. That's his problem in a nutshell. He cannot usefully run network tests. {^_^} - Original Message - From: Leonard SA [EMAIL PROTECTED] Where are BLs setup at? Thanks in advance.. Regards .. Leonard Bernstein - | Email [EMAIL PROTECTED] | Mobile (917) 807-3883 | BlackBerry PIN 40082120 | Technology Consultant - - Original Message - From: jdow [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Tuesday, November 22, 2005 5:37 PM Subject: Re: New Spammer? From: Matt Kettler [EMAIL PROTECTED] At 09:56 AM 11/22/2005, Casey King wrote: This morning we have been getting drilled by spam/virus emails. Are they spam, or viruses? Not the same thing. 40 so far. I should be so lucky to see as few as 40/hour during any kind of outbreak Been getting a lot of phone calls from across the company about these emails. At least my mailscanner boxes are stripping the files, and tagging it as spam, but what worries me, is the low scores these messages are receiving. SpamAssassin is a spam scanner. It's official policy is to EXPLICITLY not care about virus emails. No effort is made to try to catch them, because doing so would dilute the scores of the spam ruleset. No effort is made to try to avoid tagging them either. They're just removed from the corpus and handled by the developers as if they don't exist. Heh, I use the ClamAV plugin for SA and give it a hefty score. That way I get the best of both worlds. Creative use of BLs also helps. {^_^}
Re: New Spammer?
No problem. I do like to help people when I can given time and knowledge. If it works you got lucky. {^_-} - Original Message - From: Leonard SA [EMAIL PROTECTED] J, Outstanding explanation :) Thank you.. I don't have the all_trusted setting; just the trusted_networks and the internal_networks .. I've made some adjustment to the other IP address with too much weight since this is a static IP and I can place the full address as a trusted network. This is my home static IP. the server is owned by me, runs publicly. is a qmail, apache, etc server.. so I can control it as necessary .. Thanks again for all of your help Regards .. Leonard - Original Message - From: jdow [EMAIL PROTECTED] The key to understanding trusted is that these are mail transfer agents that you can trust not to forge headers. If you fetch from an ISP then it is, perforce, the ISP's pop3 or imap client through which you fetch mail with the fetchmail utility or equivalent. Such is my case. If you run an smtp server yourself and receive from the world then that server, by all its known addresses, is the extent of your trusted network. These are NOT collections of addresses you trust not to spam you. They ARE a very few addresses that can be trusted not to forge headers and nothing more. That is why the bl tests throw up their hands and fail if trusted_networks is set wrong. It has to find at least ONE header, starting from the bottom, that it trusts. From the last address working upwards in the Received headers it can't trust so it performs the lookup. If I remember correctly you were hitting ALL_TRUSTED. That is an indication that you have this setup messed up. Misunderstanding the use of the trusted_network concept is usually the problem. If you CAN change the local.cf then with a little work Bob's your uncle. (I remember my fortunately brief struggle with this. At the moment mine looks much like this: trusted_networks 127/8 207.217.121/24 internal_networks 192.168/16 The 207 address space I accept is where Earthlink.net's pop3 servers live. I use fetchmail from them. I hope this helps. {^_^} - Original Message - From: Leonard SA [EMAIL PROTECTED] J, sorry about that offline email .. :( Thanks for the answer also. I will definitely make some changes to adjust a more secure setup .. Regards .. Leonard - Original Message - From: jdow [EMAIL PROTECTED] That is the general format. I do not have your original message to know if the data is correct. It almost looks like you are trusting WAY too much at the 70.119. part. Trust only the mail server(s) from which you expect to never forge emails itself. In my case I trust the set of mail servers earthlink lumps as pop3.earthlink.net outside of the local network. {^_^} - Original Message - From: Leonard SA [EMAIL PROTECTED] J, Is the trusted_network your speaking of in the local.cf file as I have below? trusted_networks192.168.2. 127.0.0.1 70.119. I also use badmailfrom which will block mail at the SMTP level .. is SA able to stop spam with some sort of BL / WL rules? Regards .. Leonard - Original Message - From: jdow [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Tuesday, November 22, 2005 6:23 PM Subject: Re: New Spammer? Nowhere if he has no trusted network setup. That's his problem in a nutshell. He cannot usefully run network tests. {^_^} - Original Message - From: Leonard SA [EMAIL PROTECTED] Where are BLs setup at? Thanks in advance.. Regards .. Leonard Bernstein - | Email [EMAIL PROTECTED] | Mobile (917) 807-3883 | BlackBerry PIN 40082120 | Technology Consultant - - Original Message - From: jdow [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Tuesday, November 22, 2005 5:37 PM Subject: Re: New Spammer? From: Matt Kettler [EMAIL PROTECTED] At 09:56 AM 11/22/2005, Casey King wrote: This morning we have been getting drilled by spam/virus emails. Are they spam, or viruses? Not the same thing. 40 so far. I should be so lucky to see as few as 40/hour during any kind of outbreak Been getting a lot of phone calls from across the company about these emails. At least my mailscanner boxes are stripping the files, and tagging it as spam, but what worries me, is the low scores these messages are receiving. SpamAssassin is a spam scanner. It's official policy is to EXPLICITLY not care about virus emails. No effort is made to try to catch them, because doing so would dilute the scores of the spam ruleset. No effort is made to try to avoid tagging them either. They're just removed from the corpus and handled by the developers as if they don't exist. Heh, I use the ClamAV plugin for SA and give it a hefty score. That way I get the best of both worlds. Creative use of BLs also helps. {^_^}
Re: New Spammer?
By the way, aside from that the BLs are setup out of the box just about the way I use them. {^_^} - Original Message - From: Leonard SA [EMAIL PROTECTED] J, Outstanding explanation :) Thank you.. I don't have the all_trusted setting; just the trusted_networks and the internal_networks .. I've made some adjustment to the other IP address with too much weight since this is a static IP and I can place the full address as a trusted network. This is my home static IP. the server is owned by me, runs publicly. is a qmail, apache, etc server.. so I can control it as necessary .. Thanks again for all of your help Regards .. Leonard
Re: New Spammer?
And as it turns out I had an address wrong and had slightly fooed up what was minimum needed for trusted. It turns out that this setup works just fine with fetchmail. trusted_networks 127/8 internal_networks 192.168/16 It appears I was slightly overtrusting since Earthlink's pop3 and its smtp servers which don't use authentication share the same addresses. The above works quite nicely and should some idiot play with Earthlink.net's smtp to send spam it won't get the ALL_TRUSTED hit. I'm glad I got motivated to look at this a little closer. This header seems to be key for being trusted via localhost. Received: from smtp.earthlink.net [209.86.93.210] by localhost with POP3 (fetchmail-6.2.5) for [EMAIL PROTECTED] (single-drop); Tue, 22 Nov 2005 15:24:50 -0800 (PST) Suits me fine! {^_^} - Original Message - From: jdow [EMAIL PROTECTED] By the way, aside from that the BLs are setup out of the box just about the way I use them. {^_^} - Original Message - From: Leonard SA [EMAIL PROTECTED] J, Outstanding explanation :) Thank you.. I don't have the all_trusted setting; just the trusted_networks and the internal_networks .. I've made some adjustment to the other IP address with too much weight since this is a static IP and I can place the full address as a trusted network. This is my home static IP. the server is owned by me, runs publicly. is a qmail, apache, etc server.. so I can control it as necessary .. Thanks again for all of your help Regards .. Leonard
Re: New spammer trick?
Hello Andy, Friday, September 17, 2004, 3:23:15 AM, you wrote: AS Hi, I just got a nigerian spam with a huge Reply-To: line! Never seen AS that trick before, but I suppose it works with quite a few of the AS recipients. Should we create a new rule for that? I can't think of AS a legitimate reason to have more than one address in the Reply-To AS line, right? Rule I created and tested: headerRM_hrt_multireplyReply-To =~ /[EMAIL PROTECTED]@.+\@/ describe RM_hrt_multireplyhas multiple reply to addresses score RM_hrt_multireply0.100 #hist RM_hrt_multireplyCreated by Bob Menschel, Sep 17 2004 #hist RM_hrt_multireplyidea from Andy Spiegl, SA-Users #counts RM_hrt_multireply1s/0h of 66060 corpus (40104s/25956h RM) 09/17/04 Yes, that's only one hit out of 40k spam, but at least the one hit was spam. Bob Menschel
New spammer trick?
Hi, I just got a nigerian spam with a huge Reply-To: line! Never seen that trick before, but I suppose it works with quite a few of the recipients. Should we create a new rule for that? I can't think of a legitimate reason to have more than one address in the Reply-To line, right? Here goes a sample: From: chukwuelofu [EMAIL PROTECTED] To: undisclosed-recipients: ; Subject: I want to be your future partner/Response Reply-To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], ... From The Desk Top Of Prof. Chukwu Elofu, MD/CEO Financial Consultant, Federal Republic Of Nigeria. ATTN: I have interest of investing in your country as such I decided to establish contact with you for assistance as soon as I am able to transfer my funds for this ... -- o _ _ _ --- __o __o /\_ _ \\o (_)\__/o (_) -o) - _`\,__`\,__(_) (_)/_\_| \ _|/' \/ /\\ (_)/ (_) (_)/ (_) (_)(_) (_)(_)' _\o__\_v Local Area Network in Australia: the LAN down under.
Re: New spammer trick?
Hi Loren, I suspect that is more of a broken spammer than a new trick. Maybe both? :-) I can't see what good that line is going to do for the spammer. Well, whoever replys to the spammer, telling him no matter what mails his reply (usually including the quoted original mail) to everyone in the reply-to Line and therefore spreads it even further. Andy. -- o _ _ _ --- __o __o /\_ _ \\o (_)\__/o (_) -o) - _`\,__`\,__(_) (_)/_\_| \ _|/' \/ /\\ (_)/ (_) (_)/ (_) (_)(_) (_)(_)' _\o__\_v Ceterum censeo Microsoftem esse delendam!