Re: blacklist_to
Hi, I am in a similar situation but would describe the problem slightly different: although the mail goes to me (I must be somewhere in To, Cc or Bcc) it also goes to unknown users. I have not counted my spams but it seems that the and somebody else case and the not me case both appear in high quantities. Wolfgang Hamann One of my most productive rule 'hits' is on users that are in blacklist_to. My mail is sucked down with fetchmail from my provider, so I don't have the luxury (I don't think) of blocking mail for unknown users at that level. Is it possible to have a rule in blacklist_to for NOT [EMAIL PROTECTED] ? If so, how. Thanks, Mike
Re: blacklist_to
I have not counted my spams but it seems that the and somebody else case and the not me case both appear in high quantities. Yep. I have rules for both of those cases, and they do moderately well. However, how well they will do is very dependent on your personal situation. I don't expect to get any mail that is cc-ed to other people on earthlink, so that is an easy spam check. At work such a rule would never work, because I get things cc-ed to many other people there all the time. Also, a rule that checks to see if my name appears in the ToCc list will fail for most mailing lists. Since I'm not on very many of those, I just have them whitelisted sufficiently to get around the negative hit for not having my name. So those kinds of things can be useful rules in some cases, and worse than worthless in others. Loren
blocked from rulesemporium.com
I sometimes run rules_du_jour every few days, but typically less than once a week. my conf has about 15 rulesets from rulesemporium.com. Sometimes I'll run it several times in the course of maintaining other scripts, but I've never had a problem. Until today, it's been at least a few days since I tried to connect, but I've not been able to connect at all from 66.250.170.210. How can I go about finding why I was blacklisted? It would be nice to get an email to [EMAIL PROTECTED] on the occasion of being blacklisted from this service. // George -- George Georgalis, systems architect, administrator IXOYE http://galis.org/ cell:646-331-2027 mailto:[EMAIL PROTECTED]
Re: blocked from rulesemporium.com
Are you sure you are blocked? Rulesemporium moved hosts over the weekend. So if you are using an ip address, it is probably wrong. Of course, having moved hosts, it is possible that the blocking script may have suffered a problem. But check first that you are really connecting to the right place. Loren
Re: blocked from rulesemporium.com
Hi! Are you sure you are blocked? Rulesemporium moved hosts over the weekend. So if you are using an ip address, it is probably wrong. Of course, having moved hosts, it is possible that the blocking script may have suffered a problem. But check first that you are really connecting to the right place. I cant reacht the site either, from various places on the internet. There must be something wrong either with the connectivity of the old site, of perhaps DNS isses playing up? What should be the correct IP? Bye, Raymond.
Re: blacklist_to
From: Loren Wilton [EMAIL PROTECTED]
I have not counted my spams but it seems that the and somebody else
case
and the
not me case both appear in high quantities.
Yep. I have rules for both of those cases, and they do moderately well.
However, how well they will do is very dependent on your personal
situation.
I don't expect to get any mail that is cc-ed to other people on earthlink,
so that is an easy spam check. At work such a rule would never work,
because I get things cc-ed to many other people there all the time.
I use more than two CC to earthlink. Sometimes we're on the same lists.
{^_-}
Also, a rule that checks to see if my name appears in the ToCc list will
fail for most mailing lists. Since I'm not on very many of those, I just
have them whitelisted sufficiently to get around the negative hit for not
having my name.
I have the mailing list problem. So I do not demand ToCc to have me in it.
But if earthlink appears it better have me in it then it better also have
me in it and no more than one other. It also better be to the correct format
earthlink address. (THAT really is a good spam trap.)
{^_-}
Re: blocked from rulesemporium.com
From: Raymond Dijkxhoorn [EMAIL PROTECTED]
Hi!
Are you sure you are blocked? Rulesemporium moved hosts over the
weekend.
So if you are using an ip address, it is probably wrong.
Of course, having moved hosts, it is possible that the blocking script
may
have suffered a problem.
But check first that you are really connecting to the right place.
I cant reacht the site either, from various places on the internet. There
must be something wrong either with the connectivity of the old site, of
perhaps DNS isses playing up? What should be the correct IP?
It works just fine here if you use www.rulesemporium.com rather than a
dotted IP address. And no, I will NOT tell you the correct IP address. The
correct address is as stated via a dns lookup. That way you can properly
take place in the load balancing process.
{^_^}
Re: blocked from rulesemporium.com
Hi! I cant reacht the site either, from various places on the internet. There must be something wrong either with the connectivity of the old site, of perhaps DNS isses playing up? What should be the correct IP? It works just fine here if you use www.rulesemporium.com rather than a dotted IP address. And no, I will NOT tell you the correct IP address. The correct address is as stated via a dns lookup. That way you can properly take place in the load balancing process. Really? Before you make fun out of me, perhaps check the DNS: [EMAIL PROTECTED] raymond]$ dig www.rulesemporium.com @ns4.rulesemporium.com ; DiG 9.2.2-P3 www.rulesemporium.com @ns4.rulesemporium.com ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NOERROR, id: 6512 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.rulesemporium.com. IN A ;; ANSWER SECTION: www.rulesemporium.com. 28800 IN A 216.218.134.27 It seems on of your DNS servers is stale. ;; ANSWER SECTION: rulesemporium.com. 1200IN SOA ns1.rulesemporium.com. dnsadmin.rulesemporium.com. 1124484134 1800 600 604800 1200 ;; ANSWER SECTION: rulesemporium.com. 1200IN SOA ns1.rulesemporium.com. dnsadmin.rulesemporium.com. 1124484333 1800 600 604800 1200 The serial on ns4 is higher then the rest of the nameservers and is showing up a different IP. Bye, Raymond.
Re: More unintentional spam humor/irony
At 03:21 PM 9/11/2005, Justin Mason wrote: The choice of anti-bayes-filler below is unfortunate on so many levels nasty. but unsurprising -- I've always thought that news/current events would make the best bayes poison -- certainly beats 19th century prose J, I think the unfortunate part that Barton was referring to (the part that creates humor) is the joining of e-colli with a weight loss spam. Getting e. coli is a quick way to loose weight, but a VERY unpleasant and rather grotesque way to do it. (slightly gross, as this page describes the symtpoms of e. coli, but nothing too graphic:) http://www.cdc.gov/ncidod/dbmd/diseaseinfo/escherichiacoli_g.htm So, how would you like to try my new weight loss program, recognized by the CDC itself! I dunno, I thought the mention of the Army Corps of Engineers and pumping in the same message as a lose weight message was pretty funny as well... Thomas
Re: blocked from rulesemporium.com
...it would seem ns4 is broken # ns1.rulesemporium.com answer: rulesemporium.com 28800 A 38.99.66.94 additional: ns1.rulesemporium.com 28800 A 38.99.66.94 additional: ns2.rulesemporium.com 28800 A 64.218.27.102 additional: ns3.rulesemporium.com 28800 A 24.249.115.102 additional: ns4.rulesemporium.com 28800 A 195.141.89.209 answer: www.rulesemporium.com 28800 A 38.99.66.94 additional: ns1.rulesemporium.com 28800 A 38.99.66.94 additional: ns2.rulesemporium.com 28800 A 64.218.27.102 additional: ns3.rulesemporium.com 28800 A 24.249.115.102 additional: ns4.rulesemporium.com 28800 A 195.141.89.209 # ns2.rulesemporium.com answer: rulesemporium.com 28800 A 38.99.66.94 additional: ns1.rulesemporium.com 28800 A 38.99.66.94 additional: ns2.rulesemporium.com 28800 A 64.218.27.102 additional: ns3.rulesemporium.com 28800 A 24.249.115.102 additional: ns4.rulesemporium.com 28800 A 195.141.89.209 answer: www.rulesemporium.com 28800 A 38.99.66.94 additional: ns1.rulesemporium.com 28800 A 38.99.66.94 additional: ns2.rulesemporium.com 28800 A 64.218.27.102 additional: ns3.rulesemporium.com 28800 A 24.249.115.102 additional: ns4.rulesemporium.com 28800 A 195.141.89.209 # ns3.rulesemporium.com answer: rulesemporium.com 28800 A 38.99.66.94 additional: ns1.rulesemporium.com 28800 A 38.99.66.94 additional: ns2.rulesemporium.com 28800 A 64.218.27.102 additional: ns3.rulesemporium.com 28800 A 24.249.115.102 additional: ns4.rulesemporium.com 28800 A 195.141.89.209 answer: www.rulesemporium.com 28800 A 38.99.66.94 additional: ns1.rulesemporium.com 28800 A 38.99.66.94 additional: ns2.rulesemporium.com 28800 A 64.218.27.102 additional: ns3.rulesemporium.com 28800 A 24.249.115.102 additional: ns4.rulesemporium.com 28800 A 195.141.89.209 # ns4.rulesemporium.com answer: rulesemporium.com 28800 A 216.218.134.27 answer: www.rulesemporium.com 28800 A 216.218.134.27 if it is coming offline, um, well the other NS servers don't know that. // George -- George Georgalis, systems architect, administrator IXOYE http://galis.org/ cell:646-331-2027 mailto:[EMAIL PROTECTED]
Re: blocked from rulesemporium.com
From: George Georgalis [EMAIL PROTECTED]
On Mon, Sep 12, 2005 at 12:19:11AM -0700, Loren Wilton wrote:
Are you sure you are blocked? Rulesemporium moved hosts over the weekend.
So if you are using an ip address, it is probably wrong.
Thanks for the info. I reloaded my dns cache. it would seem
www.rulesemporium.com = 216.218.134.27
rulesemporium.com = 38.99.66.94
The rules seem at rulesemporium.com, but my scripts use
www.rulesemporium.com *sigh*
Hm, I do not use rulesdujour. I built my own script. It uses wget at the
www.rulesemporium.com address. I also note that you do NOT have the correct
IP address for www.rulesemporium.com.
That suggests your DNS server has not run out the TTL on its cache for this
item or you have it in your host file. Remove it from your host file if it
is there.
{^_^}
Re: blocked from rulesemporium.com
From: Raymond Dijkxhoorn [EMAIL PROTECTED]
It works just fine here if you use www.rulesemporium.com rather than a
dotted IP address. And no, I will NOT tell you the correct IP address.
The
correct address is as stated via a dns lookup. That way you can properly
take place in the load balancing process.
Really? Before you make fun out of me, perhaps check the DNS:
[EMAIL PROTECTED] raymond]$ dig www.rulesemporium.com
@ns4.rulesemporium.com
; DiG 9.2.2-P3 www.rulesemporium.com @ns4.rulesemporium.com
;; global options: printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 6512
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.rulesemporium.com. IN A
;; ANSWER SECTION:
www.rulesemporium.com. 28800 IN A 216.218.134.27
It seems on of your DNS servers is stale.
;; ANSWER SECTION:
rulesemporium.com. 1200IN SOA ns1.rulesemporium.com.
dnsadmin.rulesemporium.com. 1124484134 1800 600 604800 1200
;; ANSWER SECTION:
rulesemporium.com. 1200IN SOA ns1.rulesemporium.com.
dnsadmin.rulesemporium.com. 1124484333 1800 600 604800 1200
The serial on ns4 is higher then the rest of the nameservers and is
showing up a different IP.
It does indeed. They goofed. It should be fixed up. On another paw I note
that
such Earthlink nameserver addresses as I have show it as the correct
address.
I wonder if ns4 should even be active anymore.
{^_^}
Very simple user query...
I'm using spamassassin (Razor, Pyzor, DCC) and procmail to filter all my mail on my (Gentoo) linux-server, to which I connect from a number of Windows (XP/2000) machines using Mozilla Thunderbird to access my (dovecot) IMAP folders on the linux server. I configured spamassassin to use Rulesdujour and to regularly update those rules - and I was very happy... at least 99.99% of spam was correctly marked with only one incident of false positives (for which spamassasin wasn't entirely to blame.) in several months. Lately I've been less lucky - only ~99% of my spam is marked as such... which sounds good but the remaining 1% gives me up-to a dozen bogus messages each day... which is frustrating. To the naked eye the missed spam is obviously spam - but typically the only significant rule it triggers is the Bayesian rule... As I've stuck to the default settings this alone is insufficient to identify a mail as spam. I'm left with several questions... * Is there somewhere where I can report spams which aren't caught by the default configuration in order to feed-back into future improvements? * Is there an easy way to report spam explicitly to the checksum services (Razor/Pyzor/DCC)? Any other suggestions are welcome... Steve
Re: Very simple user query...
On Montag, 12. September 2005 11:27 Steve [Spamassasin] wrote: Lately I've been less lucky - only ~99% of my spam is marked as such... Same for me: Getting some russian SPAM, which even is only sometimes recognised by bayes. Could it be problems with cyrillic? But I even get english SPAM that doesn't trigger. Even worse, it sayes bayes_00 and gives -2.599 points, effectively marking it as HAM... mfg zmi -- // Michael Monnerie, Ing.BSc --- it-management Michael Monnerie // http://zmi.at Tel: 0660/4156531 Linux 2.6.11 // PGP Key: lynx -source http://zmi.at/zmi2.asc | gpg --import // Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879 // Keyserver: www.keyserver.net Key-ID: 0x70545879 pgprufROm274c.pgp Description: PGP signature
RE: Very simple user query...
Steve What version of SA and what URI-RBL's are you using?? -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 -Original Message- From: Steve [Spamassasin] [mailto:[EMAIL PROTECTED] Sent: 12 September 2005 10:27 To: users@spamassassin.apache.org Subject: Very simple user query... I'm using spamassassin (Razor, Pyzor, DCC) and procmail to filter all my mail on my (Gentoo) linux-server, to which I connect from a number of Windows (XP/2000) machines using Mozilla Thunderbird to access my (dovecot) IMAP folders on the linux server. I configured spamassassin to use Rulesdujour and to regularly update those rules - and I was very happy... at least 99.99% of spam was correctly marked with only one incident of false positives (for which spamassasin wasn't entirely to blame.) in several months. Lately I've been less lucky - only ~99% of my spam is marked as such... which sounds good but the remaining 1% gives me up-to a dozen bogus messages each day... which is frustrating. To the naked eye the missed spam is obviously spam - but typically the only significant rule it triggers is the Bayesian rule... As I've stuck to the default settings this alone is insufficient to identify a mail as spam. I'm left with several questions... * Is there somewhere where I can report spams which aren't caught by the default configuration in order to feed-back into future improvements? * Is there an easy way to report spam explicitly to the checksum services (Razor/Pyzor/DCC)? Any other suggestions are welcome... Steve ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: Very simple user query...
Martin Hepworth wrote:
Steve
OK - what do you get for spamassassin -D --lint ??
Output attached: sdlint.txt...
This will give you the list of tests etc its triggering along with things
that might be causing ptoblems. The URI-RBLs are enabled by default in most
config's, but Gentoo might have removed this from the init.pre (as it is in the
RH rpms) which is a right PITA.
In /etc/mail/spamassassin there should be a init.pre file and the following
line should be enabled to make the URI-RBL's work..
loadplugin Mail::SpamAssassin::Plugin::URIDNSBL
if it doesn't exist or has a # in the front then that will not help at all.
I've got that line... and I can confirm that some RBLs do work - for
example - a spam was classified today with these matches:
0.5 SARE_MSGID_ADDED Message ID added by later system
1.7 MSGID_FROM_MTA_ID Message-Id for external message added locally
0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50%
[cf: 100]
3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100%
[score: 1.]
1.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/)
2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/)
2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address
[213.106.39.160 listed in dnsbl.sorbs.net]
1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
[Blocked - see http://www.spamcop.net/bl.shtml?213.106.39.160]
3.1 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
[213.106.39.160 listed in sbl-xbl.spamhaus.org]
1.6 DNS_FROM_RFC_POST RBL: Envelope sender in postmaster.rfc-ignorant.org
0.1 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
[213.106.39.160 listed in combined.njabl.org]
1.0 URIBL_SBL Contains an URL listed in the SBL blocklist
[URIs: e4v.net]
0.4 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist
[URIs: e4v.net]
2.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
[URIs: e4v.net]
1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
[URIs: e4v.net]
3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist
[URIs: e4v.net]
4.3 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
[URIs: e4v.net]
0.1 DIGEST_MULTIPLEMessage hits more than one network digest check
1.7 SARE_SPEC_ROLEXRolex watch spam
2.3 SARE_SPEC_ROLEX_REPRolex Replic
debug: SpamAssassin version 3.0.4
debug: Score set 0 chosen.
debug: running in taint mode? no
debug: diag: module not installed: DBI ('require' failed)
debug: diag: module installed: DB_File, version 1.811
debug: diag: module installed: Digest::SHA1, version 2.10
debug: diag: module installed: IO::Socket::UNIX, version 1.21
debug: diag: module installed: MIME::Base64, version 3.05
debug: diag: module installed: Net::DNS, version 0.49
debug: diag: module installed: Net::LDAP, version 0.33
debug: diag: module installed: Razor2::Client::Agent, version 2.77
debug: diag: module installed: Storable, version 2.13
debug: diag: module installed: URI, version 1.35
debug: ignore: using a test message to lint rules
debug: using /etc/mail/spamassassin/init.pre for site rules init.pre
debug: config: read file /etc/mail/spamassassin/init.pre
debug: using /usr/share/spamassassin for default rules dir
debug: config: read file /usr/share/spamassassin/10_misc.cf
debug: config: read file /usr/share/spamassassin/11_gentoo.cf
debug: config: read file /usr/share/spamassassin/20_anti_ratware.cf
debug: config: read file /usr/share/spamassassin/20_body_tests.cf
debug: config: read file /usr/share/spamassassin/20_compensate.cf
debug: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf
debug: config: read file /usr/share/spamassassin/20_drugs.cf
debug: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf
debug: config: read file /usr/share/spamassassin/20_head_tests.cf
debug: config: read file /usr/share/spamassassin/20_html_tests.cf
debug: config: read file /usr/share/spamassassin/20_meta_tests.cf
debug: config: read file /usr/share/spamassassin/20_phrases.cf
debug: config: read file /usr/share/spamassassin/20_porn.cf
debug: config: read file /usr/share/spamassassin/20_ratware.cf
debug: config: read file /usr/share/spamassassin/20_uri_tests.cf
debug: config: read file /usr/share/spamassassin/23_bayes.cf
debug: config: read file /usr/share/spamassassin/25_body_tests_es.cf
debug: config: read file /usr/share/spamassassin/25_hashcash.cf
debug: config: read file /usr/share/spamassassin/25_spf.cf
debug: config: read file /usr/share/spamassassin/25_uribl.cf
debug:
RE: Very simple user query...
Steve Ok looks good. If you can drop an example of a spam that 'gets through' to a web page somewhere, I can run it over my system and see what happens. I've got loads of extra rules (most of rulesemporium.com etc etc so we'll see what hits... -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 -Original Message- From: Steve [Spamassasin] [mailto:[EMAIL PROTECTED] Sent: 12 September 2005 11:43 To: Martin Hepworth; users@spamassassin.apache.org Subject: Re: Very simple user query... Martin Hepworth wrote: Steve OK - what do you get for spamassassin -D --lint ?? Output attached: sdlint.txt... This will give you the list of tests etc its triggering along with things that might be causing ptoblems. The URI-RBLs are enabled by default in most config's, but Gentoo might have removed this from the init.pre (as it is in the RH rpms) which is a right PITA. In /etc/mail/spamassassin there should be a init.pre file and the following line should be enabled to make the URI-RBL's work.. loadplugin Mail::SpamAssassin::Plugin::URIDNSBL if it doesn't exist or has a # in the front then that will not help at all. I've got that line... and I can confirm that some RBLs do work - for example - a spam was classified today with these matches: 0.5 SARE_MSGID_ADDED Message ID added by later system 1.7 MSGID_FROM_MTA_ID Message-Id for external message added locally 0.1 RAZOR2_CF_RANGE_51_100 BODY: Razor2 gives confidence level above 50% [cf: 100] 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 1.5 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) 2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP address [213.106.39.160 listed in dnsbl.sorbs.net] 1.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see http://www.spamcop.net/bl.shtml?213.106.39.160] 3.1 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [213.106.39.160 listed in sbl-xbl.spamhaus.org] 1.6 DNS_FROM_RFC_POST RBL: Envelope sender in postmaster.rfc-ignorant.org 0.1 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP [213.106.39.160 listed in combined.njabl.org] 1.0 URIBL_SBL Contains an URL listed in the SBL blocklist [URIs: e4v.net] 0.4 URIBL_AB_SURBL Contains an URL listed in the AB SURBL blocklist [URIs: e4v.net] 2.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist [URIs: e4v.net] 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist [URIs: e4v.net] 3.2 URIBL_OB_SURBL Contains an URL listed in the OB SURBL blocklist [URIs: e4v.net] 4.3 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist [URIs: e4v.net] 0.1 DIGEST_MULTIPLEMessage hits more than one network digest check 1.7 SARE_SPEC_ROLEXRolex watch spam 2.3 SARE_SPEC_ROLEX_REPRolex Replic ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: Very simple user query...
Martin Hepworth wrote: Steve Ok looks good. If you can drop an example of a spam that 'gets through' to a web page somewhere, I can run it over my system and see what happens. I've got loads of extra rules (most of rulesemporium.com etc etc so we'll see what hits... I should have read your suggestion more carefully - I tried mailing a zip file as an attachment - which seems to have been eaten. http://www.shic.dynalias.net/spam.zip Contains two spams... The eaten message would have said: -- I suspect that the rulesemporium rules are what I refer to as Gentoo's rulesdujour - though I can't be sure that my automated script picks the same rules as you have. I've attached a zip file containing two spams (sensitive details removed with '#' characters... this shouldn't confuse spamassassin) These two spams are typical of what's annoying me... Both these examples have DATE_IN_PAST_12_24, but this is not the case for all of what is slipping past. --
RE: blocked from rulesemporium.com
-Original Message-
From: jdow [mailto:[EMAIL PROTECTED]
Sent: Monday, September 12, 2005 3:39 AM
To: Raymond Dijkxhoorn
Cc: users@spamassassin.apache.org
Subject: Re: blocked from rulesemporium.com
From: Raymond Dijkxhoorn [EMAIL PROTECTED]
It works just fine here if you use www.rulesemporium.com
rather than
a dotted IP address. And no, I will NOT tell you the
correct IP address.
The
correct address is as stated via a dns lookup. That way you can
properly take place in the load balancing process.
Really? Before you make fun out of me, perhaps check the DNS:
[EMAIL PROTECTED] raymond]$ dig www.rulesemporium.com
@ns4.rulesemporium.com
; DiG 9.2.2-P3 www.rulesemporium.com
@ns4.rulesemporium.com
;; global options: printcmd ;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 6512 ;;
flags: qr
aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;www.rulesemporium.com. IN A
;; ANSWER SECTION:
www.rulesemporium.com. 28800 IN A 216.218.134.27
It seems on of your DNS servers is stale.
;; ANSWER SECTION:
rulesemporium.com. 1200IN SOA
ns1.rulesemporium.com.
dnsadmin.rulesemporium.com. 1124484134 1800 600 604800 1200
;; ANSWER SECTION:
rulesemporium.com. 1200IN SOA
ns1.rulesemporium.com.
dnsadmin.rulesemporium.com. 1124484333 1800 600 604800 1200
The serial on ns4 is higher then the rest of the nameservers and is
showing up a different IP.
It does indeed. They goofed. It should be fixed up. On
another paw I note that such Earthlink nameserver addresses
as I have show it as the correct address.
I wonder if ns4 should even be active anymore.
{^_^}
We have addressed the stale NS today. And yes, ns4 should be active, it
was just looking to the wrong master for a zone axfr.
Thanks,
Dallas
RE: Very simple user query...
Steve OK looks like these are both uk.geocities.com abuse spam. If you look at the archive you'll find some extra rulesets for these little blighters (and their variants). -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 -Original Message- From: Steve [Spamassasin] [mailto:[EMAIL PROTECTED] Sent: 12 September 2005 14:22 To: Martin Hepworth Cc: users@spamassassin.apache.org Subject: Re: Very simple user query... Martin Hepworth wrote: Steve Ok looks good. If you can drop an example of a spam that 'gets through' to a web page somewhere, I can run it over my system and see what happens. I've got loads of extra rules (most of rulesemporium.com etc etc so we'll see what hits... I suspect that the rulesemporium rules are what I refer to as Gentoo's rulesdujour - though I can't be sure that my automated script picks the same rules as you have. I've attached a zip file containing two spams (sensitive details removed with '#' characters... this shouldn't confuse spamassassin) These two spams are typical of what's annoying me... Both these examples have DATE_IN_PAST_12_24, but this is not the case for all of what is slipping past. ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
New install
I just moved SA outside the firewall. Spam filtering is working much better, but I'm not sure how to proceed on feeding missed spam back into bayes. By the time it gets to my mailbox, it's gone through the firewall, the virus scanner, and the email server; each leaving a large or small fingerprint on the email. Any recommendations on how to start populating a new bayes db with this setup? I'm assuming I don't want to use the email in my mailbox, as it's been tainted by the intermediate in-house stops. Details: Internet - outside box (containing greylist, SA, pyzor, and dcc) - firewall - virus scanner - email server - mailbox SA 3.04 Thanks
Re: Very simple user query...
Martin Hepworth wrote: Steve OK looks like these are both uk.geocities.com abuse spam. If you look at the archive you'll find some extra rulesets for these little blighters (and their variants). Genius answer! For some reason it had completely escaped my notice that all of the spams missed by SA over the past month had a uk.geocities.com address! I've opted for a score of 4 for any mail mentioning a uk.geocities.com URL - which is hopefully good enough to avoid this kind of problem without too great a risk of loosing a mail that happens to reference a homepage on uk.geocites.com in an innocent way. What still surprises me is that DCC/Razor/Pyzor don't pick these up... I'd still like to know what would be the easiest way to report these spams in order that in future they might be caught without falling back on a vicious static check for any mail referencing a URL at a free provider. Thanks, Steve
RE: Very simple user query...
Steve Well if this worked. http://www.sciam.com/article.cfm?articleID=000593AE-704B-1151-B57F83414B7F00 00 we could make sure we hit the spammers really hard ;-) of course those unfortunates who also live in Baton Raton (or wherever Ralski and his co-horts are hiding this week) would be in trouble for harboring these people as well ;-( -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 -Original Message- From: Steve [Spamassasin] [mailto:[EMAIL PROTECTED] Sent: 12 September 2005 17:08 To: users@spamassassin.apache.org Cc: Martin Hepworth Subject: Re: Very simple user query... Martin Hepworth wrote: Steve OK looks like these are both uk.geocities.com abuse spam. If you look at the archive you'll find some extra rulesets for these little blighters (and their variants). Genius answer! For some reason it had completely escaped my notice that all of the spams missed by SA over the past month had a uk.geocities.com address! I've opted for a score of 4 for any mail mentioning a uk.geocities.com URL - which is hopefully good enough to avoid this kind of problem without too great a risk of loosing a mail that happens to reference a homepage on uk.geocites.com in an innocent way. What still surprises me is that DCC/Razor/Pyzor don't pick these up... I'd still like to know what would be the easiest way to report these spams in order that in future they might be caught without falling back on a vicious static check for any mail referencing a URL at a free provider. Thanks, Steve ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
Re: Very simple user query...
Martin Hepworth wrote: Well if this worked. we could make sure we hit the spammers really hard ;-) While I see eliminating spammers as being one of the better justifications for environmental warfare, it isn't sufficiently reliable to get my vote. of course those unfortunates who also live in Baton Raton (or wherever Ralski and his co-horts are hiding this week) would be in trouble for harboring these people as well ;-( To a large extent (I'm sad to say) I believe that spam is the fault of the IT industry who have utterly failed to provide a usable PKI for the masses. If ISPs required to register a certificate for every user's email address (at minimal cost - just like is now the case for domain names) then spam could become a thing of the past pretty quickly; and all email could be sent securely into the bargain. Well - I can dream too - can't I?
Re: Very simple user query...
You have a permissions problem, plus you are running duplicate rules.. Remove the tripwire.cf file as you are using a newer version called 99_FVGT_Tripwire.cf That file was updated months ago with a new name, now it's called 88_FVGT_Tripwire.cf I'm not sure why we changed that but we had good reasons... But check your debug output, it says permission denied while trying to read a number of your add-on rules.. this might be part of the reason you are not getting results like before... Frederic Tarasevicius Steve [Spamassasin] wrote: debug: using /etc/mail/spamassassin for site rules dir debug: config: read file /etc/mail/spamassassin/70_sare_adult.cf cannot open /etc/mail/spamassassin/70_sare_bayes_poison_nxm.cf: Permission denied cannot open /etc/mail/spamassassin/70_sare_genlsubj.cf: Permission denied cannot open /etc/mail/spamassassin/70_sare_genlsubj0.cf: Permission denied debug: config: read file /etc/mail/spamassassin/70_sare_genlsubj1.cf debug: config: read file /etc/mail/spamassassin/70_sare_genlsubj2.cf debug: config: read file /etc/mail/spamassassin/70_sare_genlsubj3.cf cannot open /etc/mail/spamassassin/70_sare_genlsubj_eng.cf: Permission denied cannot open /etc/mail/spamassassin/70_sare_header.cf: Permission denied cannot open /etc/mail/spamassassin/70_sare_header0.cf: Permission denied debug: config: read file /etc/mail/spamassassin/70_sare_header1.cf debug: config: read file /etc/mail/spamassassin/70_sare_header2.cf debug: config: read file /etc/mail/spamassassin/70_sare_header3.cf cannot open /etc/mail/spamassassin/70_sare_header_eng.cf: Permission denied cannot open /etc/mail/spamassassin/70_sare_highrisk.cf: Permission denied cannot open /etc/mail/spamassassin/70_sare_html0.cf: Permission denied debug: config: read file /etc/mail/spamassassin/70_sare_html1.cf debug: config: read file /etc/mail/spamassassin/70_sare_html2.cf debug: config: read file /etc/mail/spamassassin/70_sare_html3.cf debug: config: read file /etc/mail/spamassassin/70_sare_html4.cf cannot open /etc/mail/spamassassin/70_sare_html_eng.cf: Permission denied cannot open /etc/mail/spamassassin/70_sare_oem.cf: Permission denied cannot open /etc/mail/spamassassin/70_sare_random.cf: Permission denied cannot open /etc/mail/spamassassin/70_sare_ratware.cf: Permission denied cannot open /etc/mail/spamassassin/70_sare_specific.cf: Permission denied cannot open /etc/mail/spamassassin/70_sare_spoof.cf: Permission denied debug: config: read file /etc/mail/spamassassin/70_sare_unsub.cf cannot open /etc/mail/spamassassin/70_sare_uri.cf: Permission denied debug: config: read file /etc/mail/spamassassin/72_sare_bml_post25x.cf cannot open /etc/mail/spamassassin/72_sare_redirect_post3.0.0.cf: Permission denied debug: config: read file /etc/mail/spamassassin/99_FVGT_Tripwire.cf debug: config: read file /etc/mail/spamassassin/99_sare_fraud_post25x.cf debug: config: read file /etc/mail/spamassassin/antidrug.cf debug: config: read file /etc/mail/spamassassin/bogus-virus-warnings.cf cannot open /etc/mail/spamassassin/evilnumbers.cf: Permission denied debug: config: read file /etc/mail/spamassassin/local.cf debug: config: read file /etc/mail/spamassassin/random.cf debug: config: read file /etc/mail/spamassassin/random.current.cf cannot open /etc/mail/spamassassin/tripwire.cf: Permission denied
bellsouth hotmail servers
Forgive me if my questions were already answered in the previous hotmail server discussion... but I'm finding that the IP addresses of many legit sending mail servers for both hotmail and bellsouth are now listed on many RBLs. Is here a place where I can either: (1) get a listing of the IP blocks for various legit ISP's mail servers ...OR... (2) run a DNSBL query against where a match will be returned in those cases where the server is a known source of legit mail or a known legit ISP server? (kind of the opposite of what RBLs do, if you will). For example, I know that pub.mxrate.net will return 03 for good servers. I'm looking for any other similar type of good DNS-based list. Rob McEwen PowerView Systems [EMAIL PROTECTED]
Re: More unintentional spam humor/irony
Thomas Cameron wrote: I dunno, I thought the mention of the Army Corps of Engineers and pumping in the same message as a lose weight message was pretty funny as well... Hmm.. Mil-spec liposuction? Ouch.
RE: bellsouth hotmail servers
You will find that not all RBLS are built the same. Most are owned by individuals who create the RBL to suit their own needs. Those needs may not be the same as your needs. If you want to be safe with rejections on your front end before it hits SpamAssassin (Postfix front end, etc.), stick with RBLS that have very very few false positives. When you see spam come into your email, check the connecting IP against this list. http://www.dnsstuff.com/tools/ip4r.ch?ip=192.168.1.1 Over time you will see which ones have almost no false positives, and which one's make a lot of mistakes. You can assign points in SA to the ones that are not as accurate. This can be useful to help tag marginal spam that is not getting tagged correctly. For instance, if you have 5 RBLs being called in SA that are about 75% accurate which you assigned .5 points to, you have given an extra 2.5 points to the spam score which may be enough to push it up to 5 points and tag it appropriately as spam. In general, the more lists an IP address is on, the more likely it is spam (with the exception of a few RBLS that have black holed just about the entire Internet, i.e. BLARSBL). So using multiple RBLs at lower scores inside of SA is useful, even if the RBLs are not as accurate as you may like. Just don't give them large point values if they are not very accurate. Now, with all that said, I am sure you will probably get 10 other opinions to the contrary. :-) -Original Message- From: Rob McEwen [mailto:[EMAIL PROTECTED] Sent: Monday, September 12, 2005 4:44 PM To: users@spamassassin.apache.org Subject: bellsouth hotmail servers Forgive me if my questions were already answered in the previous hotmail server discussion... but I'm finding that the IP addresses of many legit sending mail servers for both hotmail and bellsouth are now listed on many RBLs. Is here a place where I can either: (1) get a listing of the IP blocks for various legit ISP's mail servers ...OR... (2) run a DNSBL query against where a match will be returned in those cases where the server is a known source of legit mail or a known legit ISP server? (kind of the opposite of what RBLs do, if you will). For example, I know that pub.mxrate.net will return 03 for good servers. I'm looking for any other similar type of good DNS-based list. Rob McEwen PowerView Systems [EMAIL PROTECTED]
RE: bellsouth hotmail servers
Greg, Thanks for the good advice. Actually, I've already done EXACTLY what you've suggested. It is so ironic... almost like you've read my mind! No kidding. I spent weeks evaluating IPs at DNSSTuff.com's list so that I could gauge for myself exactly which lists to use and what values to place on them. You can even find some questions and requests I've posted at the DNSSTuff.com forum recently. But I'm simply finding that some bellsouth and hotmail SMTP IP addresses are so dirty that they stand out separate from regular non-spammy IPs to the extent that re-weighing the values places on these RBLs enough to get these bellsouth and hotmail SMTP IPs to naturally appear no trigger a block would then significantly reduce the value that these RBLs provide in catching real spam... I don't want to go that far. For now, I may have to just whitelist at my DNS caching server on a case-by-case basis as these things come up... but I'm still hoping to find a good list of frequently used official DNS server for large established ISPs (either in list form or as a DNS list) --Rob McEwen
RE: bellsouth hotmail servers
But I'm simply finding that some bellsouth and hotmail SMTP IP addresses are so dirty that they stand out separate from regular non-spammy IPs to the Hotmail is one of the three largest email providers in the United States, if not the world. That being Hotmail, Yahoo, AOL. Now, there has always been a few RBLs (which will remain nameless) that have had a bug up their butt about large ISPs, period. The RBL owners just don't like them for multiple reasons. One reason they like to use is called multi-hop opem relays. In reality, (from what I have seen) this usually means that an ISP user or company uses the smarthost of the ISP to deliver their email. Some RBL owners simply seem to dispise that configuration because they can not pin the spam down to a certain user. So the ISPs outgoing email servers get listed. There are multiple other reasons large ISPs get listed, but you get the idea. Now, even if Hotmail was breaking every rule ever invented as far as spam goes (and they are not) you, as a provider (if you are a provider), must let their email through because they are one of the big three. That being known, why would any RBL blacklist them knowing that their email is one of the big three that you just can't block unless they had political, or other reasons, for doing so? I can tell you that Hotmail and most very large providers don't give a hoot about most RBLs. They know you will have to whitelist them sooner or later. extent that re-weighing the values places on these RBLs enough to get these bellsouth and hotmail SMTP IPs to naturally appear no trigger a block would then significantly reduce the value that these RBLs provide in I would suggest that you are probably still using the wrong RBLs or you are giving way too much point values to poor RBLs (that you are using in SA for scoring) as I meantioned in my last email. catching real spam... I don't want to go that far. You can not expect RBLs to be the make or break of deciding what is spam inside of SA. That is why they made SpamAssassin. The developers realized, you can't count on just one thing. You can find a few good RBLs that can be used at the front end before SA to do outright rejections, but these RBLs are few and far between. Some SA purists might not even do the RBL rejects at all in front of SA. I do this to save bandwidth and CPU. For now, I may have to just whitelist at my DNS caching server on a case-by-case basis as these things come up... but I'm still hoping to find a good list of frequently used official DNS server for large I assume you mean you are looking for outgoing IP addresses of large IPs and not their DNS servers? Anyway, this would probably be a waste of time IMO, because if the RBLs you are using make mistakes that you can see with large ISPs, then what about the smaller websites and ISPs that you don't even know about? Their false positives will be across the board. Compensating as you suggest, gives weight to well known providers (if you were able to find all their sending IPs) If you are looking for an RBL list of providers you might find something here: http://216.109.125.130/search/cache?p=blackholes.ustoggle=1ei=UTF-8u=publ ic.murl.com/redir%3Fm1000dd03e96e6c6f31md=dHUWw8p5LWZNicp=1.intl=us How you would use them for whitelisting instead of blacklisting, I do not know. Maybe someone else can help you with that, if that is what you are looking for. established ISPs (either in list form or as a DNS list) --Rob McEwen Here are a few rock solid RBLs with extremely low false positives that you can probably use on your front end IMO. I use more, but this should get you started if you are looking for better RBLs. cbl.abuseat.org, sbl-xbl.spamhaus.org, list.dsbl.org Good luck.
RE: bellsouth hotmail servers
Greg, You made some good points... maybe I AM weighing some of these too much?? But, for the record, I do use multiple types of filtering and I weigh in RBLs as one of many factors. And even these blocked legit messages I referred to were just barely blocked on my server and, therefore, hit my audit pile. What I'm doing now is going to senderbase.org and finding the most prolific sending server IPs for these major ISPs and then manually whitelisting them in my DNS server for the various RBLs that I use. I think that this will do the job. What about the smaller ISPs that I don't whitelist, you ask? Well, as I said, these were just barely being blocked by my server in the 1st place and they were going into an audit pile. Therefore, I'll catch the smaller ISPs as they come... I'm just trying to make such a FP so extremely rare that I then don't have to deal with them very often. (I think, also, that some of the smaller ISPs are not a large enough source of spam to get onto as many of these RBLs, in many cases.) But, as you suggested, I'll rethink the weights I've assigned to each RBL. I should also note that it is my goal to whitelist the actual official SMTP server for the major ISPs... but it is NOT my goal to whitelist dynamic IPs assigned by the ISPs to the individual computers using that service... a very important distinction. --Rob McEwen
