Re: Speak to me of Bayes and scoring in SA 3.0
[EMAIL PROTECTED] writes: > I thought so too... Well, I don't think the scores are the problem -- they are pretty much as good as they can get given the training data. I mean the entire method of putting them into ranges and scoring those ranges. -- Daniel Quinlan ApacheCon! 13-17 November (3 SpamAssassin http://www.pathname.com/~quinlan/ http://www.apachecon.com/ sessions & more)
FW: ****SPAM****(10.8) CONGRATULATIONS, US$500,000.00 FOR YOU
-Original Message- From: MEGA MILLION [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 15, 2004 1:44 PM To: [EMAIL PROTECTED] Subject: SPAM(10.8) CONGRATULATIONS, US$500,000.00 FOR YOU Spam detection software, running on the system "antispam.efastunding.com", has identified this incoming email as possible spam. The original message has been attached to this so you can view it (if it isn't spam) or label similar future email. If you have any questions, see @@CONTACT_ADDRESS@@ for details. Content analysis details: (10.8 points, 5.0 required) pts rule name description -- -- 2.4 MIME_BOUND_MANY_HEXSpam tool pattern in MIME boundary 0.0 FORGED_RCVD_HELO Received: contains a forged HELO 0.2 SUBJ_ALL_CAPS Subject is all capitals 1.0 MILLION_USDBODY: Talks about millions of dollars 1.6 UNCLAIMED_MONEYBODY: People just leave money laying around 0.0 US_DOLLARS_2 BODY: Mentions $$$ ($NNN.N m/USDNNN.N m/US$NN.N m) 0.0 LINES_OF_YELLING BODY: A WHOLE LINE OF YELLING DETECTED 1.6 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence between 51 and 100 [cf: 100] 0.2 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 2.9 NIGERIAN_BODY1 Message body looks like a Nigerian spam message 1+ 0.8 AWLAWL: From: address is in the auto white-list The original message was not completely plain text, and may be unsafe to open with some email clients; in particular, it may contain a virus, or confirm that your address can receive spam. If you wish to view it, it may be safer to save it to a file and open it with an editor. You have to love it when the spammers scan the SA-list on the web and then spam my SpamAssassin list account. --- Begin Message --- Title: CONGRATULATIONS, US$500,000.00 FOR YOU FROM THE DESK OF THE VICE PRESIDENT MEGA MILLION E-MAIL LOTTO INTERNATIONAL PROGRAM VIA CARDUCCI GIOSUE 16, 20123 MI, MILANO, ITALIA. INTERNATIONAL E-MAIL LOTTO PROMOTIONS/PRIZE AWARD. BATCH NO: MMEL/EU/4750/17860/811 REF. No: MMEL/EU/31420/11020/310 WINNING NOTIFICATION / FINAL NOTICE This is to inform you of the release of the MEGA MILLION E-MAIL LOTTERY BALLOT INTERNATIONAL/ WORLD GAMING BOARD held on the 28TH of August 2004 and the results released on the 30th of August 2004. Your email address attached to Ticket No:351601563 with Serial No 215320356 drew the lucky numbers of 10-81-22-67-04-70 which consequently won the lottery in the 2nd category. You have therefore been approved for a lump sum payout of $500,000 Dollars (Five Hundred Thousand United States Dollars) in cash credited to file Ref.No: MMEL/EU/4750/17860/811 This is from a total cash prize of $28 million United States Dollars shared among several international lucky winners in the premium, 1st, 2nd and 3rd categories respectively. Due to mix up of some numbers and names, we ask that you keep your winning information confidential until your claims has been processed and your money Remitted to you. This is part of our security protocol to avoid double claiming and unwarranted abuse of this program by some participants. All participants were selected through a computer ballot system drawn from only Microsoft users from over 20,000 company, and 3,000,000 individual email addresses all over the world. To begin your lottery claim, do contact the claims manager on MRS. FREDRICKS LINDA CLAIMS MANAGER MEGA MILLION LOTTO INTERNATIONAL SPA [EMAIL PROTECTED] Note that all winning must be claimed not later than 18th Oct. 2004. After this date all unclaimed funds will be included in the next stake. Please note in order to avoid unnecessary delays and complications do remember to quote your reference number and batch numbers in all correspondence. Furthermore, should there be any change of address do not hesitate inform your claims manager as soon as possible. Congratulations once more from our members of staff and thank you for being part of our promotional program. Note: Anybody under the age of 18 is automatically disqualified. Staff and family members of Mega Million Lotto SpA are disallowed from participation in the end of year US$1.6 Billion high stakes. Yours Sincerely, ANTONIO BELLUCI [EMAIL PROTECTED] Lottery Coordinator --- End Message ---
Re: Speak to me of Bayes and scoring in SA 3.0
On 16 Sep 2004 13:39:30 -0700, "Daniel Quinlan" <[EMAIL PROTECTED]> said: > Bart Schaefer <[EMAIL PROTECTED]> writes: > > > Feeding the Bayes rules through the scoring algorithm seems to imply a > > lack of trust in the accuracy of the classifier. > > Mostly not. It's needed to map from the 0 to 1.0 "probability" to the > SpamAssassin threshold-based scoring method. Even in more pure Bayesian > systems, users still have to figure out where to put stuff into the spam > bucket and it's often not at 0.50. Our technique avoids the problem of > people having two different calibrations. Plus, there's the lack of > trust thing, but that's a lesser factor. > > I think we could use a better way to merge Bayesian results into the > SpamAssassin score, though. I thought so too... I added the following to my local.cf based on Bayes scores of spam we receive. Spammers are really trying hard to make their spams look hammy, but regular users are (hopefully) not trying to make their hams look spammy. So I weighted the scores in that direction since my Bayes engine seems much more likely to give my ham a very low score than to give my spam a very high score. Spammers can fairly easily get their Bayes scores down to about 50% probability, but it's much more difficult to get them down below 40% probability since they would have to know your particular organization's 'hammy' tokens (which would not remain hammy for long if you're training regularly). score BAYES_00 -4.9 score BAYES_01 -2.1 score BAYES_10 -1.5 score BAYES_20 -1.0 score BAYES_30 -0.5 score BAYES_40 0.1 score BAYES_44 0.7 score BAYES_50 1.0 score BAYES_56 1.5 score BAYES_60 2.1 score BAYES_70 3.1 score BAYES_80 4.2 score BAYES_90 4.9 score BAYES_99 5.4 -- [EMAIL PROTECTED]
Re: Speak to me of Bayes and scoring in SA 3.0
Bart Schaefer <[EMAIL PROTECTED]> writes: > Feeding the Bayes rules through the scoring algorithm seems to imply a > lack of trust in the accuracy of the classifier. Mostly not. It's needed to map from the 0 to 1.0 "probability" to the SpamAssassin threshold-based scoring method. Even in more pure Bayesian systems, users still have to figure out where to put stuff into the spam bucket and it's often not at 0.50. Our technique avoids the problem of people having two different calibrations. Plus, there's the lack of trust thing, but that's a lesser factor. I think we could use a better way to merge Bayesian results into the SpamAssassin score, though. Daniel -- Daniel Quinlan ApacheCon! 13-17 November (3 SpamAssassin http://www.pathname.com/~quinlan/ http://www.apachecon.com/ sessions & more)
Re: [RDJ] Weird Rules Du Jour Warning
Hi Josh, Would you try removing all the lines such as: [ ${VARIABLE} ] || declare -a VARIABLE; and then re-running? I'm clueless what is causing this. I'm not certain that [ ${PARSE_NEW_VER_SCRIPTS} ] syntax is proper, but it's been working for me for quite some time.My system is also Debian (sarge). I'm using bash 2 now, but I just tried it on bash 3 and it worked with that as well. On Thu, 2004-09-16 at 12:09 -0500, Josh Trutwin wrote: > On Thu, 16 Sep 2004 10:59:56 -0500 > Chris Thielen <[EMAIL PROTECTED]> wrote: > > > Hi Josh, > > On Wed, 2004-09-15 at 15:57 -0500, Josh Trutwin wrote: > > > Hi, > > > > > > Every time I run rules_du_jour (latest version) I get a > > > warning/error message, but I cannot tell where it is. I changed > > > perl to/usr/bin/perl -w and this is what it displays: > > > > > > # /root/bin/rules_du_jour > > > /root/bin/rules_du_jour: [: too many arguments > > > > Odd. Try adding "set -v" on a blank to the top of the rules_du_jour > > script (a line or two after the #!/bin/bash) and run it again. > > Ok, did that though I'm not sure it helped with the output. The full > output of this command is available at http://www.netbits.us/rdj.txt > > Search for "too many" to find the error. > > Josh > -- Chris Thielen Easily generate SpamAssassin rules to catch obfuscated spam phrases (0BFU$C/\TED SPA/\/\ P|-|RA$ES): http://www.sandgnat.com/cmos/ Keep up to date with the latest third party SpamAssassin Rulesets: http://www.exit0.us/index.php/RulesDuJour signature.asc Description: This is a digitally signed message part
Speak to me of Bayes and scoring in SA 3.0
Pointers to archived discussion - or, better, some kind of rationale in the SA documentation - would be fine. I haven't been able to follow the developers list closely for quite some time. What I'm curious about is why the BAYES_* rules are fed through the scoring algorithm along with everything else. (I understand about why the scores end up being what they are after the algorithm finishes.) Feeding the Bayes rules through the scoring algorithm seems to imply a lack of trust in the accuracy of the classifier. Perhaps this is a side-effect of having very few negative-scoring rules that can lower the score by looking for ham (lack of which, I comprehend, is to prevent deliberate spoofing), but it would have made sense to me to e.g. fix the score for BAYES_99 at 4.95, BAYES_95 at 4.75, BAYES_90 at 4.50, etc., and then let the scoring algorithm fit the rest of the rules around that. Perhaps not so linear a mapping, but you get the idea. So, why not?
Re: [OT] FUN: Something to send your family members!
Chris Santerre <[EMAIL PROTECTED]> wrote: > So for anyone who knows what I'm talking about on this page, feel > free to spam it to all your friends and family! ;) > > http://www.rulesemporium.com/rant.html The really funny thing is that for the first 10 years of my professional life I ran a help desk call center! -- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Chris Barnes AOL IM: CNBarnes [EMAIL PROTECTED]Yahoo IM: chrisnbarnes
RE: [SARE] Some SARE spam.
She looks like the girl from CSI except blonde. Then again, her eyebrows aren't! From: Jim Maul [mailto:[EMAIL PROTECTED] Sent: Thu 9/16/2004 8:32 AM To: users@spamassassin.apache.org Subject: Re: [SARE] Some SARE spam. Quoting Chris Santerre <[EMAIL PROTECTED]>: > Greetings Spamfighters. > > This is the only time I'll mention this. I , yes I, requested a paypal > donate button for SARE. I put it up on the homepage of SARE. I wanted this > just because our host has been very good to us, and put up with quite a lot > of traffic :) They Never asked for anything. Not even a mention, which I > will do. > > Nxtek, for all your hosting needs! www.nxtek.net/ > NO I don't know the cute girl's name on their page. They won't tell me! :) > Personally i like her better http://www.relaycom.com/rcanswer.html But i just got a thing for blondes... -Jim
RE: [SARE] Some SARE spam.
> Does anyone else seriously think that donating to a open > source project > should be a tax write off? Or am I the only one??? Would a > project have to > become a non profit? I just see sooo many people donating > things to open > source, they should at least get a tax break. I mean, I can > work in a soup > kitchen and get a write off for my time, but spending hours > fighting spam > for the world? The SA devs shouldn't have to ever pay taxes ;) > > Chris Santerre > System Admin and SARE Ninja > http://www.rulesemporium.com > http://www.surbl.org > 'It is not the strongest of the species that survives, > not the most intelligent, but the one most responsive to change.' > Charles Darwin > Do the words 501(c)3 mean anything to you? :)
Re: Subject line
Jeff Koch <[EMAIL PROTECTED]> wrote: > I certainly agree with a simple [SA} prefix so that the SA emails > don't get lost and deleted with all the other stuff I get. However, > this came up a few months ago and the SA list nazis decided that we > must be too stupid not to have programmed our email clients to > automatically sort our email. Those of us in favor got voted down. You could do what I do and read the messages via the gmane newsgroup mirror. NOTHING shows up in my inbox, yet I see everything I want. -- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + Chris Barnes AOL IM: CNBarnes [EMAIL PROTECTED]Yahoo IM: chrisnbarnes
Re: [sa-list] sign up for spam
On Thu, 16 Sep 2004, Lucas Albers wrote: Posting to the usenet seems to be a good way to go about it. Try posting a few personals to alt.sex.fetish.diapers or something. Disclaimer: I'm kidding, of course. -Dan Any ideas on how to go through the process of signing up for spam. Someone stole one of my friends credit card's number, and signed up with some porno sites with his real email address. I wanted to sign up the thief to every spamming email list on the planet. I think this same idea would be applicable to seeding spamtrap's. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana -- "Ca. Tas. Tro. Phy." -John Smedley, March 28th 1998, 3AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
RE: sign up for spam
Why not just report the thief to your local law enforcement agency? That would seem a much more appropriate way to go. After all, the thief could just get SpamAssassin and never see any of that spam you signed him/her up for. -Original Message- From: Lucas Albers [mailto:[EMAIL PROTECTED] Sent: September 16, 2004 1:48 PM To: users@spamassassin.apache.org Subject: sign up for spam Any ideas on how to go through the process of signing up for spam. Someone stole one of my friends credit card's number, and signed up with some porno sites with his real email address. I wanted to sign up the thief to every spamming email list on the planet. I think this same idea would be applicable to seeding spamtrap's. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana
sign up for spam
Any ideas on how to go through the process of signing up for spam. Someone stole one of my friends credit card's number, and signed up with some porno sites with his real email address. I wanted to sign up the thief to every spamming email list on the planet. I think this same idea would be applicable to seeding spamtrap's. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana
RE: SA 3 & Win32/Exchange
Jamie Pratt scribbled on Thursday, September 16, 2004 6:27 AM: > Hi, I've been looking at how to integrate SA 3 (or 2.64 if > not possible > for 3) with MS exchange and have been looking at this page: > > http://www.christopherlewis.com/ExchangeSpamAssassin.htm > > ... Seems doable, but now wondering if anyone out here has any > experience or feedback on the implementation of this in the > real world.. > gotchas/caveats/tips I'll take anything I can get, as it seems pretty > complex to install and I don't want to try it unless I'm > fairly sure I > can get it to work properly first, and of course I lack a > spare server > to test with right now... (big surprise) :-( > > Thanks! > jamie Jamie, I looked at that a while back when I was looking for a cost-effective (read cheap) solution for spam and antivirus scanning for our Exchange server. I too was in the same boat not having a non-production server to test on. I decided it wasn't worth taking a chance and built up a Linux box and installed MailScanner, Spamassassin and ClamAV. Couldn't be happier. It catches 95+% of spam and has not let a virus through since it was put into place. I simply created a secondary MX DNS record for it and firewalled port 25 incoming to the Exchange box and allowed 25 to the Linux box and it just works! Sendmail receives email from the internet, MailScanner calls Spamassassin and ClamAV, hands it back to Sendmail to relay to the exchange box. If I need to take it off line (which I haven't had to do so far) all I have to do is allow port 25 to the Exchange box and there is no mail interruptions. We process 3-8k emails a day and I put this together on a surplus P233 box with 196MB of memory. From testing it looks like it could easily process 20-25k messages a day. It is very configurable and will do much more than the solution you're currently looking at. I know that didn't really address your question but thought I'd give you another option. At least this way you're not taking chances with your production box. I'm not by any means a Linux guru but found the install fairly easy and put the whole thing together in an afternoon. You could also email Chris and ask him directly. I've found open-source developers to be very approachable and generally helpful if asked nicely. HTH Ken Ken Goods Network Administrator AIA Insurance, Inc.
Re: Creating a custom tag via a plugin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Parker writes: > On Thu, Sep 16, 2004 at 09:35:34AM -0700, Justin Mason wrote: > > > > I'm pretty sure there's a bugzilla bug open about this... I can't find it > > though. Could you open a bug at http://bugzilla.spamassassin.org/ > > to request it? > > Turns out it's easy enough to do, but it might be cool to add a hook > that gets called in _get_tag and passes in the %tags hash so you can > stick things in there. Or something similar. if I recall correctly, someone was suggesting a method callback; in other words, the plugin would call a function something like register_tag_callback("TAGNAME", $self, \&my_method); and the tag-expansion code would then know to call $self->my_method(...) if that tag was encountered, to get its value ($self being the plugin obj in that case). this sounds perfect to me. - --j. -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Exmh CVS iD8DBQFBSc5BQTcbUG5Y7woRAvTXAJsFJMdrZGADrlwObevtxsh0YZdGywCePvlM iTsrziyyxsxxQ/PwJwKE+aI= =FFeQ -END PGP SIGNATURE-
Re: [sa-list] Lost Newbie
Dan Mahoney, System Admin said: > > By the way, the defaults are usually pretty decent (and get way better > once the bayes magic starts working). Perhaps you should look at WHY ham > is being caught, and be sure to teach your users how to properly whitelist > their mail if there's a problem. There are presently solutions for this > with IMAP, Procmail, and for shell users. I think SA is good enough with proper bayes score that only to whitelist very very rarely. -- Luke Computer Science System Administrator Security Administrator,College of Engineering Montana State University-Bozeman,Montana
Re: Creating a custom tag via a plugin
On Thu, Sep 16, 2004 at 09:35:34AM -0700, Justin Mason wrote: > > > I'm pretty sure there's a bugzilla bug open about this... I can't find it > though. Could you open a bug at http://bugzilla.spamassassin.org/ > to request it? > Turns out it's easy enough to do, but it might be cool to add a hook that gets called in _get_tag and passes in the %tags hash so you can stick things in there. Or something similar. Michael
Re: [RDJ] Weird Rules Du Jour Warning
On Thu, 16 Sep 2004 10:59:56 -0500 Chris Thielen <[EMAIL PROTECTED]> wrote: > Hi Josh, > On Wed, 2004-09-15 at 15:57 -0500, Josh Trutwin wrote: > > Hi, > > > > Every time I run rules_du_jour (latest version) I get a > > warning/error message, but I cannot tell where it is. I changed > > perl to/usr/bin/perl -w and this is what it displays: > > > > # /root/bin/rules_du_jour > > /root/bin/rules_du_jour: [: too many arguments > > Odd. Try adding "set -v" on a blank to the top of the rules_du_jour > script (a line or two after the #!/bin/bash) and run it again. Ok, did that though I'm not sure it helped with the output. The full output of this command is available at http://www.netbits.us/rdj.txt Search for "too many" to find the error. Josh
Re: Creating a custom tag via a plugin
On Thu, Sep 16, 2004 at 12:01:21PM -0400, Brian Keifer wrote: [snip] > > I'd like to add a second value, specified by the user and stored in > the same table as all of the other SA prefs. This would be a second, > higher, score that I'd like to have inserted as a second header into > each message marked as spam. Maildrop would then compare the value of > this new header to the number of hits the message got. If the number > of hits is greater than this second threshold, the maildrop script > will delete the message without delivering it. I'd envisioned the > second header appearing something like this: > > X-Spam-Delete: 9.3 > > In this situation, any messages that got a score of 9.3 or greater > would never make it to the user's mailbox. > > I've found the add_header option but naturally none of the _TAGS_ > reference my custom value. What I'd like to know is if there's a way > to create an additional tag via a SA 3.0 plugin. Failing that, is > there a way to take an arbitrary value from SA's config table and > inject it into a header? add_header is the way to go. Here is a short plugin that adds a new config option (custom_delete_score) and a new TAG value that you can use in the add_header command. Here is the module, just drop this in somewhere, sorry for the lack of documentation, hopefully it's self explainable: package Mail::SpamAssassin::Plugin::CustomDeleteTag; use Mail::SpamAssassin::Plugin; use strict; use bytes; use vars qw(@ISA); @ISA = qw(Mail::SpamAssassin::Plugin); sub new { my $class = shift; my $mailsaobject = shift; # some boilerplate... $class = ref($class) || $class; my $self = $class->SUPER::new($mailsaobject); bless ($self, $class); return $self; } sub parse_config { my ($self, $opts) = @_; my $key = $opts->{key}; if ($key eq 'custom_delete_score') { if ($opts->{value} =~ /^\d+$/) { $opts->{conf}->{custom_delete_score} = $opts->{value}; $self->inhibit_further_callbacks(); return 1; } } return 0; } sub parsed_metadata { my ($self, $opts) = @_; $opts->{permsgstatus}->{tag_data}->{CUSTOMDELETESCORE} = $opts->{permsgstatus}->{conf}->{custom_delete_score}; } 1; Then I added this to my init.pre: loadplugin Mail::SpamAssassin::Plugin::CustomDeleteTag And this to my local.cf: add_header all Delete _CUSTOMDELETESCORE_ In my user_prefs file I have: custom_delete_score 56 You could just as easily put this in your SQL user prefs table. Which when run against any message give this header: X-Spam-Delete: 56 Hopefully that helps. Michael
Re: Creating a custom tag via a plugin
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm pretty sure there's a bugzilla bug open about this... I can't find it though. Could you open a bug at http://bugzilla.spamassassin.org/ to request it? - --j. Brian Keifer writes: > I'm using SpamAssassin 3.0 RC5 to tag messages according to per-user > preferences specified in an SQL database. Users have the ability to > modify their settings in the database via a web-based application > (Sam, part of the Horde project). One of the settings is > required_hits. If the message gets tagged as spam, a maildrop script > delivers the message to the user's "SPAM" mailbox. If it's not spam, > it gets delivered normally. > > I'd like to add a second value, specified by the user and stored in > the same table as all of the other SA prefs. This would be a second, > higher, score that I'd like to have inserted as a second header into > each message marked as spam. Maildrop would then compare the value of > this new header to the number of hits the message got. If the number > of hits is greater than this second threshold, the maildrop script > will delete the message without delivering it. I'd envisioned the > second header appearing something like this: > > X-Spam-Delete: 9.3 > > In this situation, any messages that got a score of 9.3 or greater > would never make it to the user's mailbox. > > I've found the add_header option but naturally none of the _TAGS_ > reference my custom value. What I'd like to know is if there's a way > to create an additional tag via a SA 3.0 plugin. Failing that, is > there a way to take an arbitrary value from SA's config table and > inject it into a header? > > Thanks in advance, > > -Brian -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.4 (GNU/Linux) Comment: Exmh CVS iD8DBQFBScDWQTcbUG5Y7woRAnIeAKDsLPg4pjaRd/ma/kJhx9tD48RJGgCcDMU+ 9VwCUrZUwxo4roX/jlTfc3o= =lVBl -END PGP SIGNATURE-
Creating a custom tag via a plugin
Hi, list. I'm using SpamAssassin 3.0 RC5 to tag messages according to per-user preferences specified in an SQL database. Users have the ability to modify their settings in the database via a web-based application (Sam, part of the Horde project). One of the settings is required_hits. If the message gets tagged as spam, a maildrop script delivers the message to the user's "SPAM" mailbox. If it's not spam, it gets delivered normally. I'd like to add a second value, specified by the user and stored in the same table as all of the other SA prefs. This would be a second, higher, score that I'd like to have inserted as a second header into each message marked as spam. Maildrop would then compare the value of this new header to the number of hits the message got. If the number of hits is greater than this second threshold, the maildrop script will delete the message without delivering it. I'd envisioned the second header appearing something like this: X-Spam-Delete: 9.3 In this situation, any messages that got a score of 9.3 or greater would never make it to the user's mailbox. I've found the add_header option but naturally none of the _TAGS_ reference my custom value. What I'd like to know is if there's a way to create an additional tag via a SA 3.0 plugin. Failing that, is there a way to take an arbitrary value from SA's config table and inject it into a header? Thanks in advance, -Brian
Re: [RDJ] Weird Rules Du Jour Warning
Hi Josh, On Wed, 2004-09-15 at 15:57 -0500, Josh Trutwin wrote: > Hi, > > Every time I run rules_du_jour (latest version) I get a warning/error > message, but I cannot tell where it is. I changed perl to > /usr/bin/perl -w and this is what it displays: > > # /root/bin/rules_du_jour > /root/bin/rules_du_jour: [: too many arguments Odd. Try adding "set -v" on a blank to the top of the rules_du_jour script (a line or two after the #!/bin/bash) and run it again. > \1 better written as $1 at -e line 1. > > The latter warning seems related to the CURL detection. > > As near as I can guess the "[:" is coming from one of these lines: > PARSE_NEW_VER_SCRIPTS[0]="${PERL} -ne 'print if > /^\s*#.*(vers?|version|rev|revision)[:\.\s]*[0-9]/i;' | sort | > ${TAIL}"; > > The error occurs right away before the bulk of output messages for > each rule. > > I tried turning on -v on /bin/bash and it appears the message comes > from parsing: > > [ ${PARSE_NEW_VER_SCRIPTS} ] || \ > declare -a PARSE_NEW_VER_SCRIPTS; # Command to > run on the file to retrieve new version info > /root/bin/rules_du_jour: [: too many arguments > > > Tried to put this all on one line - same result. > > Any thoughts? My /etc/mail/rulesdujour can be found at: > http://www.netbits.us/rulesdujour > > Oh - perl 5.6.1 on debian > > Thanks, > > Josh > -- Chris Thielen Easily generate SpamAssassin rules to catch obfuscated spam phrases (0BFU$C/\TED SPA/\/\ P|-|RA$ES): http://www.sandgnat.com/cmos/ Keep up to date with the latest third party SpamAssassin Rulesets: http://www.exit0.us/index.php/RulesDuJour signature.asc Description: This is a digitally signed message part
Re: Rule Suggestion
At 10:39 AM 9.16.2004 -0400, Ryan Moore wrote: >Dan Mahoney, System Admin wrote: >> Guys, >> >> Given that some spammers like to just slam mail at everyone at an entire >> domain, is there an option to "greylist" these addresses? >> >> For example, my father's wife peggy has the domain peggytaggart.com, she >> ONLY gives out the peggy@ email address for this. >> >> For some unknown reason, the whole domain is popular with spammers. >> I've added a global rule in my virtusertable to just drop anything >> not-destined for peggy: >> > >I'm not sure if this would work given your setup, but worth mention >perhaps. There is a milter designed to find out of the rcpt of a message >is valid if the rcpt isn't local (ie: you gateway mail down to another >box). Milter-ahead is the name, I use it sorta, I actually use >milter-sender which has the same features of milter-ahead plus much >more. You can get it from: http://www.milter.info > > > >Ryan Moore >-- Ryan: Did you compile a Berkely DB3 or better into sendmail? I would like to use milter-sender, but no luck yet. Figured it was the DB2 in the base system sendmail-8.12.11. Best regards, Jack L. Stone, Administrator Sage American http://www.sage-american.com [EMAIL PROTECTED]
Re: Rule Suggestion
On Thu, 16 Sep 2004, David B Funk wrote: On Wed, 15 Sep 2004, Dan Mahoney, System Admin wrote: Guys, Given that some spammers like to just slam mail at everyone at an entire domain, is there an option to "greylist" these addresses? For example, my father's wife peggy has the domain peggytaggart.com, she ONLY gives out the peggy@ email address for this. [snip..] (What's really annoying is that sendmail doesn't log the ip of the remote connection until it's done (if you're blocking them) -- I'd love to be able to create an RBL on this and nip it in the bud). This is a sendmail config issue. Just up the "LogLevel" a few notches. Then it will add log entries for every connection opening (as well as other stuff). However, while spamassassin seems to have whitelist_to (and I could whitelist_to [EMAIL PROTECTED]), this defeats any other spamassassin tactics. I could also do blacklist_to herdomain.com but this would effectively LIMIT her real mail. I guess what I'm looking to know is if there's any way for users who get all the mail for a specific domain (like she does) to list which ones are "real" (but still may get spam), and which ones aren't (so they're likely definitely spam). Just write a custom rule, so that if the 'To:' contains "@peggytaggart.com" but isn't "[EMAIL PROTECTED]" then hit. Also, wouldn't it be a good idea for SpamAssassin to start going off on multiple emails to the same domain from the same address/ip? Potentially really bad idea. For example our central admin likes to send out periodic notices to groups of students (one message, one source, thousands of recipients). They would -not- be amused if it were tagged by SA. Which is where whitelist_from_recvd would come in. Your central admin, I'm sure, is within your mail sphere, and you would probably want to accept mail from him, even *if* he's sending out an email about generic viagra. However, this would also not apply in the situation I'm talking about, because the preference I'm looking for is per-user: I have a header inserted, the X-Envelope-To: header, that makes it apparent where mail is being sent. Spamassassin could check this and work on it. It doesn't even have to be a scoring rule, it could simply work to report the ip, for future refusal by sendmail. I'm not saying that this is a good rule for everyone, but I've always believed rulesets, much like bayes databases, are isomorphic. This is a rule that would best suit those people who receive mail for an entire domain. Since procmail runs as *them*, it would have to keep a table of recipients, and source ip addresses in the same way it maintains their bayes databases. -Dan -- "Your future hasn't been written yet; no one's has. So make it a good one!" -"Doc" Emmet L. Browne, Back to the Future III Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: [SARE] Some SARE spam.
Quoting Chris Santerre <[EMAIL PROTECTED]>: Greetings Spamfighters. This is the only time I'll mention this. I , yes I, requested a paypal donate button for SARE. I put it up on the homepage of SARE. I wanted this just because our host has been very good to us, and put up with quite a lot of traffic :) They Never asked for anything. Not even a mention, which I will do. Nxtek, for all your hosting needs! www.nxtek.net/ NO I don't know the cute girl's name on their page. They won't tell me! :) Personally i like her better http://www.relaycom.com/rcanswer.html But i just got a thing for blondes... -Jim
Re: Sendmail - Mimedefang - Spamassassin
On Thu, Sep 16, 2004 at 05:08:23PM +0200, Trevor Dodds wrote: > All outbound email flow through this server aswell. So I need all > internal mail servers to be > skiped. You need to talk to the mimedefang guys and ask how you do that. It has nothing to do with SpamAssassin itself. -- Randomly Generated Tagline: "Q: How many surrealists does it take to screw in a lightbulb? A: Two. One to hold the giraffe and the other to fill the bathtub with brightly colored machine tools." - Unknown pgpThUvO3vJ9e.pgp Description: PGP signature
Sendmail - Mimedefang - Spamassassin
Hi, I've installed Sendmail 8.13.1 / MIMEdefang 2.44 / Spamassassin 2.64 - This is a relay server. I've added trusted_networks 172.16/16 to the sa-mimedefang.cf but this doesn't help. All outbound email flow through this server aswell. So I need all internal mail servers to be skiped. Thanks Trevor
Re: [sa-list] Re: Spammers Bypassing Whitelists / Rule Suggestion / Performance
On Thu, 16 Sep 2004, Stewart Nelson wrote: Turn this around and make a rule for it. I have one and it works great. FROM_ME_TO_ME. The description says, "Why the hell would I get email from myself, from outside!" Well, I often send myself email, usually to store some (important to me but not sensitive) information so it can be accessed from other locations by IMAP or Webmail. It's nearly always from 'inside', but occasionally my laptop is connected via a customer's or vendor's firewall that blocks connection to my SMTP server by SSL or ASMTP, and also blocks the non-standard port my Webmail is on, but permits access to a local outgoing SMTP relay. Voilà. Viruses, I handle for them, I am sure they don't want them. I have had trouble with systems blocking .eml and .url attachments. Unfortunately, when a user (that doesn't know better) clicks the Mail button in IE and selects Send a Link, a message with a .url attachment is created. Likewise, selecting 'Forward as Attachment' in Outlook or OE generates a .eml . I'm not blocking those. For a while I was using the www.impsec.org procmail rules, but I've switched over to an antivirus milter that can run against McAfee or with a little modification, ClamAV. -Dan -- "You can't call yourself a dork if you don't use UNIX!" -Dan Mahoney, May 1997 Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: Rule Suggestion
On Thu, 16 Sep 2004, Ryan Moore wrote: Dan Mahoney, System Admin wrote: Guys, Given that some spammers like to just slam mail at everyone at an entire domain, is there an option to "greylist" these addresses? For example, my father's wife peggy has the domain peggytaggart.com, she ONLY gives out the peggy@ email address for this. For some unknown reason, the whole domain is popular with spammers. I've added a global rule in my virtusertable to just drop anything not-destined for peggy: I'm not sure if this would work given your setup, but worth mention perhaps. There is a milter designed to find out of the rcpt of a message is valid if the rcpt isn't local (ie: you gateway mail down to another box). Milter-ahead is the name, I use it sorta, I actually use milter-sender which has the same features of milter-ahead plus much more. You can get it from: http://www.milter.info No, because the "next hop" gateway is procmail, which by default delivers everything. I *suppose* it could be heavily modified to see if a given message would be sent by procmail to /dev/null, but that involves running every check procmail would, and some of those (including spamassassin) would only be known once the message was accepted. Not a perfect fit, but the offer is appreciated. -Dan Mahoney -- "I can feel it, comin' back again...Like a rolling thunder chasin' the wind..." -Dan Mahoney, JS, JB & SL, May 10th, 1997, Approx 1AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: Rule Suggestion
Dan Mahoney, System Admin wrote: Guys, Given that some spammers like to just slam mail at everyone at an entire domain, is there an option to "greylist" these addresses? For example, my father's wife peggy has the domain peggytaggart.com, she ONLY gives out the peggy@ email address for this. For some unknown reason, the whole domain is popular with spammers. I've added a global rule in my virtusertable to just drop anything not-destined for peggy: I'm not sure if this would work given your setup, but worth mention perhaps. There is a milter designed to find out of the rcpt of a message is valid if the rcpt isn't local (ie: you gateway mail down to another box). Milter-ahead is the name, I use it sorta, I actually use milter-sender which has the same features of milter-ahead plus much more. You can get it from: http://www.milter.info Ryan Moore -- Perigee.net Corporation 704-849-8355 (sales) 704-849-8017 (tech) www.perigee.net
Re: [SARE] Some SARE spam.
On Thu, Sep 16, 2004 at 09:36:53AM -0400, Chris Santerre wrote: > Does anyone else seriously think that donating to a open source project > should be a tax write off? Or am I the only one??? Would a project have to You know, if you donate to the Apache Software Foundation (see http://apache.org/foundation/contributing.html), it is a tax deductable. :) -- Randomly Generated Tagline: I've run DOOM more in the last few days than I have the last few months. I just love debugging ;-) (Linus Torvalds) pgpXCkOlbzjML.pgp Description: PGP signature
Re: Skip mail already checked mails?
At 03:43 AM 8/21/2004, Xavier wrote: relay1 & relay2 have booth a SpamAssassing running. Problem: when a mail is received on relay2, it's being check by SA and tagged as spam. Later, relay2 sent it to relay1. relay1 don't mark it as spam??? How to re-use the tags added by relay2? How do you call SA? Via procmail? If so, create a procmail rule that looks for "X-Spam-Status: Yes," and bypass SA if it's present. However, be sure to not skip mails which have a No for the spam status. Spammers could abuse that as a free-ride past your scanners.
Re: Spammers bypassing filters
Dan Mahoney, System Admin wrote: [...] Here's an example to show what I mean. From: Ackermanmloz <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] Did you whitelist mail from or to the prime.gushi.org domain, or to danm? X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on prime.gushi.org X-Spam-Status: No, hits=-81.4 required=5.0 tests=BAYES_99,HTML_MESSAGE, INVALID_MSGID,MIME_BOUND_DD_DIGITS,MIME_HTML_ONLY, MIME_HTML_ONLY_MULTI,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_XBL, USER_IN_WHITELIST autolearn=no version=2.64 It's your configuration, since it hit USER_IN_WHITELIST. to get a -100. Without that, it would've been an 18.6 apparently. How are you running sa? Sitewide spamd, or just spamassassin called per-user? Check the user_prefs of the user running sa, or the system-wide local.cf for: whitelist_from whitelist_from_rcvd etc. for any patterns that might match. - Bob
RE: [SARE] Some SARE spam.
BTW, if you open source project happened to have an NPO license from the state for which it holds a license to conduct business (yes, I know it's an oxymoron) which isn't hard to get then yes, donations would be a tax write off... Gary > -Original Message- > From: Chris Santerre [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 16, 2004 6:37 AM > To: Spamassassin-Talk (E-mail) > Subject: [SARE] Some SARE spam. > > Greetings Spamfighters. > > This is the only time I'll mention this. I , yes I, requested a paypal > donate button for SARE. I put it up on the homepage of SARE. I wanted this > just because our host has been very good to us, and put up with quite a > lot > of traffic :) They Never asked for anything. Not even a mention, which I > will do. > > Nxtek, for all your hosting needs! www.nxtek.net/ > NO I don't know the cute girl's name on their page. They won't tell me! :) > > > So anywho, this doesn't go to my Nvidia 6800 or Dodge viper slush funds. I > spent that on an ice coffee yesterday. Anything you donate goes to our > host. > And NO, you don't have to donate anything to use SARE. > > If you do donate, make it odd amounts. Like they all end in 37 cents. Just > to drive them silly ;) > > Does anyone else seriously think that donating to a open source project > should be a tax write off? Or am I the only one??? Would a project have to > become a non profit? I just see sooo many people donating things to open > source, they should at least get a tax break. I mean, I can work in a soup > kitchen and get a write off for my time, but spending hours fighting spam > for the world? The SA devs shouldn't have to ever pay taxes ;) > > Chris Santerre > System Admin and SARE Ninja > http://www.rulesemporium.com > http://www.surbl.org > 'It is not the strongest of the species that survives, > not the most intelligent, but the one most responsive to change.' > Charles Darwin
[SARE] Some SARE spam.
Greetings Spamfighters. This is the only time I'll mention this. I , yes I, requested a paypal donate button for SARE. I put it up on the homepage of SARE. I wanted this just because our host has been very good to us, and put up with quite a lot of traffic :) They Never asked for anything. Not even a mention, which I will do. Nxtek, for all your hosting needs! www.nxtek.net/ NO I don't know the cute girl's name on their page. They won't tell me! :) So anywho, this doesn't go to my Nvidia 6800 or Dodge viper slush funds. I spent that on an ice coffee yesterday. Anything you donate goes to our host. And NO, you don't have to donate anything to use SARE. If you do donate, make it odd amounts. Like they all end in 37 cents. Just to drive them silly ;) Does anyone else seriously think that donating to a open source project should be a tax write off? Or am I the only one??? Would a project have to become a non profit? I just see sooo many people donating things to open source, they should at least get a tax break. I mean, I can work in a soup kitchen and get a write off for my time, but spending hours fighting spam for the world? The SA devs shouldn't have to ever pay taxes ;) Chris Santerre System Admin and SARE Ninja http://www.rulesemporium.com http://www.surbl.org 'It is not the strongest of the species that survives, not the most intelligent, but the one most responsive to change.' Charles Darwin
RE: Subject line
> -Original Message- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Thursday, September 16, 2004 4:10 AM > To: users@spamassassin.apache.org > Subject: Re: Subject line > > > Dave Goodrich wrote: > > I was non committal on the whole subject when this started. > I tend to > > disagree with militant list nazis regardless of the topic > or the view > > they put forth. > > This is the second time in this thread that Nazis have been > mentioned. I hereby invoke Godwin's Law and declare that this > thread is over! > > Bob You mean it's jumped the shark? ;-) -Joe K.
SA 3 & Win32/Exchange
Hi, I've been looking at how to integrate SA 3 (or 2.64 if not possible for 3) with MS exchange and have been looking at this page: http://www.christopherlewis.com/ExchangeSpamAssassin.htm ... Seems doable, but now wondering if anyone out here has any experience or feedback on the implementation of this in the real world.. gotchas/caveats/tips I'll take anything I can get, as it seems pretty complex to install and I don't want to try it unless I'm fairly sure I can get it to work properly first, and of course I lack a spare server to test with right now... (big surprise) :-( Thanks! jamie
Re: Subject line
Dave Goodrich wrote: > I was non committal on the whole subject when this started. I tend to > disagree with militant list nazis regardless of the topic or the view > they put forth. This is the second time in this thread that Nazis have been mentioned. I hereby invoke Godwin's Law and declare that this thread is over! Bob
Re: [OT] FUN: Something to send your family members!
From: "Roger Taranto" <[EMAIL PROTECTED]> > On Wed, 2004-09-15 at 09:14, Chris Santerre wrote: > > > So for anyone who knows what I'm talking about on this page, feel free to > > spam it to all your friends and family! ;) > > > You *must* check out the t-shirts here: > http://www.thinkgeek.com/tshirts/frustrations/ > > Especially this one: http://www.thinkgeek.com/tshirts/frustrations/388b/ > > And, this one is a personal favorite: > http://www.thinkgeek.com/tshirts/frustrations/6b6e/ I wonder how many geeks would buy a teeshirt with only the letters "I" and "O" on it in the specific order "IOOOIOI" {O.O} Saw that on a California license plate and nearly had an accident I fell to laughing so hard at the big one somebody slipped past the DMV - at least for awhile.
Re: Rule Suggestion
On Wed, 15 Sep 2004, Dan Mahoney, System Admin wrote: > Guys, > > Given that some spammers like to just slam mail at everyone at an entire > domain, is there an option to "greylist" these addresses? > > For example, my father's wife peggy has the domain peggytaggart.com, she > ONLY gives out the peggy@ email address for this. [snip..] > (What's really annoying is that sendmail doesn't log the ip of the remote > connection until it's done (if you're blocking them) -- I'd love to be > able to create an RBL on this and nip it in the bud). This is a sendmail config issue. Just up the "LogLevel" a few notches. Then it will add log entries for every connection opening (as well as other stuff). > However, while spamassassin seems to have whitelist_to (and I could > whitelist_to [EMAIL PROTECTED]), this defeats any other spamassassin > tactics. I could also do blacklist_to herdomain.com but this would > effectively LIMIT her real mail. I guess what I'm looking to know is if > there's any way for users who get all the mail for a specific domain (like > she does) to list which ones are "real" (but still may get spam), and > which ones aren't (so they're likely definitely spam). Just write a custom rule, so that if the 'To:' contains "@peggytaggart.com" but isn't "[EMAIL PROTECTED]" then hit. > Also, wouldn't it be a good idea for SpamAssassin to start going off on > multiple emails to the same domain from the same address/ip? Potentially really bad idea. For example our central admin likes to send out periodic notices to groups of students (one message, one source, thousands of recipients). They would -not- be amused if it were tagged by SA. -- Dave Funk University of Iowa College of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include Better is not better, 'standard' is better. B{
Re: [OT] FUN: Something to send your family members!
Roger Taranto wrote: You *must* check out the t-shirts here: http://www.thinkgeek.com/tshirts/frustrations/ Especially this one: http://www.thinkgeek.com/tshirts/frustrations/388b/ I wear that one whenever I go visit my father, wear it just for him ;] And, this one is a personal favorite: http://www.thinkgeek.com/tshirts/frustrations/6b6e/ -Roger Ryan Moore -- Perigee.net Corporation 704-849-8355 (sales) 704-849-8017 (tech) www.perigee.net
Re: [OT] FUN: Something to send your family members!
On Wed, 2004-09-15 at 09:14, Chris Santerre wrote: So for anyone who knows what I'm talking about on this page, feel free to spam it to all your friends and family! ;) You *must* check out the t-shirts here: http://www.thinkgeek.com/tshirts/frustrations/ Especially this one: http://www.thinkgeek.com/tshirts/frustrations/388b/ And, this one is a personal favorite: http://www.thinkgeek.com/tshirts/frustrations/6b6e/ -Roger
Re[2]: Cannot whitelist this address
Hello Tobin, Wednesday, September 15, 2004, 7:24:42 AM, you wrote: T> Thanks for your response. I tried whitelisting the spoofed address. And T> then yes the IP which I know is porposterous but Im desparate. Then I T> whitelisted the SMTP DNS name which is also wrong. Im lost as to what I T> should do. T> whitelist_from 216.136.XX.XX T> whitelist_from mail.XXX.com T> all_spam_to [EMAIL PROTECTED] These are ADDRESS commands. You can't whitelist a domain (mail.XXX.com), you need to whitelist an address ([EMAIL PROTECTED]). Bob Menschel Matt Kettler <[EMAIL PROTECTED]> 9/14/2004 7:02:59 PM >>> T> At 05:11 PM 9/14/2004, Tobin wrote: >>If anyone can help I thank you. I run SA on win32. We use a third T> party >>application which sends emails via SMTP from out DMZ to our T> mailserver. >>The email is generated with a spoofed name and then sent so the T> headers >>are partially fake. SA is detecting this and I cannot find anyway to T> let >>this email through. I have hand-fed it through as ham and also >>whitelisted the spoofed address, the IP addres and nothing yet is >>working. Could someone give me some insight? T> Could you post an example of how you went about whitelisting the T> address? T> Exactly? T> I'm concerned you've got some problems understanding the config file T> format, as there's no way to whitelist an IP address in SA, so I'm T> concerned you're running around adding errors to your configfile and SA T> is T> just spitting the whole thing out and ignoring it. T> Can you run spamassassin --lint to check the config for errors?
Re: Spammers Bypassing Whitelists / Rule Suggestion / Performance
Turn this around and make a rule for it. I have one and it works great. FROM_ME_TO_ME. The description says, "Why the hell would I get email from myself, from outside!" Well, I often send myself email, usually to store some (important to me but not sensitive) information so it can be accessed from other locations by IMAP or Webmail. It's nearly always from 'inside', but occasionally my laptop is connected via a customer's or vendor's firewall that blocks connection to my SMTP server by SSL or ASMTP, and also blocks the non-standard port my Webmail is on, but permits access to a local outgoing SMTP relay. Voilà. Viruses, I handle for them, I am sure they don't want them. I have had trouble with systems blocking .eml and .url attachments. Unfortunately, when a user (that doesn't know better) clicks the Mail button in IE and selects Send a Link, a message with a .url attachment is created. Likewise, selecting 'Forward as Attachment' in Outlook or OE generates a .eml . In addition, it is sometimes good to receive a virus. I occasionally recognize a customer's or vendor's IP address as the source, and advise them of the problem. They are generally appreciative, and that is good for business. The biggest performance benefit you'll see is if you use spamd. The pre-forking of children makes an incredible amount of difference. Just ask Michael Jackson :) --Stewart
Re: Rule Suggestion
On Wed, 15 Sep 2004, Kelson wrote: Dan Mahoney, System Admin wrote: Yes, I know this. I actually wrote something to create a RBL based on virus senders. I'd just like to be able to drop (or maybe teergrube) the connection in the BEGINNING instead of after the hangup. Look into the sendmail config option BAD_RCPT_THROTTLE. The value is the max number of allowed invalid recipients after which sendmail starts delaying responses to sender. (Basically after each RCPT it sleeps before sending "user unknown.") The "user unknown" response is the exception rather than the rule, unfortunately. Normally all mail goes through unblocked. Unless I start running sendmail as a milter, which I believe would remove any ability to do user_prefs. -Dan -- "It's buttery kettle ASS corn!" -Dan Mahoney, Ezzi Computers, 10/22/03, 2AM Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: Rule Suggestion
Dan Mahoney, System Admin wrote: Yes, I know this. I actually wrote something to create a RBL based on virus senders. I'd just like to be able to drop (or maybe teergrube) the connection in the BEGINNING instead of after the hangup. Look into the sendmail config option BAD_RCPT_THROTTLE. The value is the max number of allowed invalid recipients after which sendmail starts delaying responses to sender. (Basically after each RCPT it sleeps before sending "user unknown.") Unfortunately the delay is (was) hardcoded to 1 second, but it'll at least slow them down a little. -- Kelson Vibber SpeedGate Communications