Re: trusted_networks?
Cami wrote: Daryl C. W. O'Shea wrote: Cami wrote: Matt Kettler wrote: Cami wrote: I'm not treating them as such. All I'm trying to do is stop RBL checks happening for the 196.0.0.0/8 network. trusted_networks 196.0.0.0/8 165.165.0.0/16 165.146.0.0/16 internal_networks 196.2.50.0/24 I have done so, yet i still fail to see how the behavior mimics that of SA 2.64, both hosts in my trusted_networks and internal_network still get checked against RBLs. Perhaps you'd consider sharing a copy of the received headers from an affected message so that we can do more than guess. Received: from anemone.mweb.co.za (localhost.localdomain [127.0.0.1]) by pwfilter01.mweb.co.za (Postfix) with ESMTP id 9F1982039F for <[EMAIL PROTECTED]>; Wed, 26 Oct 2005 05:12:28 +0200 (SAST) You failed to trust 127.0.0.1. Daryl
Re: trusted_networks?
Daryl C. W. O'Shea wrote: Cami wrote: Matt Kettler wrote: Cami wrote: I'm not treating them as such. All I'm trying to do is stop RBL checks happening for the 196.0.0.0/8 network. trusted_networks 196.0.0.0/8 165.165.0.0/16 165.146.0.0/16 internal_networks 196.2.50.0/24 I have done so, yet i still fail to see how the behavior mimics that of SA 2.64, both hosts in my trusted_networks and internal_network still get checked against RBLs. Perhaps you'd consider sharing a copy of the received headers from an affected message so that we can do more than guess. Oct 26 05:12:35 spamwall12.mweb.co.za amavis[14802]: (14802-03-59) SPAM, <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, Yes, Hits= 13.345 tag1=3.0 tag2=7.5 kill=7.5, tests=BAYES_99=5.4,DBL_12_LETTER_PGIMG=0.2,HTML_MESSAGE=0.001,MANGLED_FORM=2.3,MANGLED_HOME=2.3,MANGLED_MARK ET=2.3,MANGLED_MEN=2.3,MANGLED_SHOP=2.3,MANGLED_YOUR=2.3,RCVD_IN_NJABL_DUL=1.946,RCVD_WHITELIST02=-8,SPF_HELO_PASS=-0.001,SPF_PASS=-0.001, [196 .2.50.73], quarantine: FktQCBUUnfFa X-Envelope-From: <[EMAIL PROTECTED]> X-Envelope-To: <[EMAIL PROTECTED]> X-Quarantine-Id: Received: from anemone.mweb.co.za (anemone.mweb.co.za [196.2.50.73]) by postwall08.mweb.co.za (Postfix) with ESMTP id 6BADE48 for <[EMAIL PROTECTED]>; Wed, 26 Oct 2005 05:12:31 +0200 (SAST) Received: from anemone.mweb.co.za (localhost.localdomain [127.0.0.1]) by pwfilter01.mweb.co.za (Postfix) with ESMTP id 9F1982039F for <[EMAIL PROTECTED]>; Wed, 26 Oct 2005 05:12:28 +0200 (SAST) Received: from anemone.mweb.co.za (localhost.localdomain [127.0.0.1]) by anemone.mweb.co.za (nod32smtp); Wed, 26 Oct 2005 05:12:28 +0200 Received: from cpt-mailhost3.mweb.co.za (cpt-mailhost3.mweb.co.za [196.2.42.199]) by anemone.mweb.co.za (Postfix) with ESMTP id 8785E2039A for <[EMAIL PROTECTED]>; Wed, 26 Oct 2005 05:12:28 +0200 (SAST) Received: from postwall01.mweb.co.za (postwall01.mweb.co.za [196.2.42.21]) by cpt-mailhost3.mweb.co.za (Postfix) with ESMTP id 7BB09C631DB for <[EMAIL PROTECTED]>; Wed, 26 Oct 2005 05:12:28 +0200 (SAST) Received: from viruswall02.mweb.co.za (viruswall02.mweb.co.za [196.2.50.228]) by pwfilter01.mweb.co.za (Postfix) with SMTP id AB68A4D for <[EMAIL PROTECTED]>; Wed, 26 Oct 2005 05:12:30 +0200 (SAST) Received: from postwall03.mweb.co.za ([127.0.0.1]) by viruswall02.mweb.co.za ([196.2.50.228]) with SMTP (gateway) id A05A8C2C3DB; Wed, 26 Oct 2005 05:12:32 +0200 Received: from postwall03.mweb.co.za (postwall03.mweb.co.za [196.2.42.23]) by viruswall02.mweb.co.za (nod32smtp); Wed, 26 Oct 2005 05:12:32 +0200 Received: from n1.primary.taps-nodes.co.za (mx1.taps-nodes.co.za [196.30.81.82]) by postwall03.mweb.co.za (Postfix) with ESMTP id 44FD243 for <[EMAIL PROTECTED]>; Wed, 26 Oct 2005 05:12:30 +0200 (SAST) Received: from n1.primary.taps-nodes.co.za (localhost [127.0.0.1]) by n1.primary.taps-nodes.co.za (8.12.9-20030917/8.12.9) with ESMTP id j9Q3aIhI028055 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for <[EMAIL PROTECTED]>; Wed, 26 Oct 2005 05:36:18 +0200 Received: (from [EMAIL PROTECTED]) by n1.primary.taps-nodes.co.za (8.12.9-20030917/8.12.9/Submit) id j9Q3aIqo028035; Wed, 26 Oct 2005 05:36:18 +0200 Message-Id: <[EMAIL PROTECTED]> Content-Type: multipart/alternative; boundary="_--=_1130299387036" MIME-Version: 1.0 X-Mailer: MIME::Lite 3.01 (F2.72; B3.01; Q3.01) Date: Wed, 26 Oct 2005 03:36:17 UT From: Pick `n Pay <[EMAIL PROTECTED]> Sender: Pick `n Pay <[EMAIL PROTECTED]> Subject: Pick `n Pay newsletter for Carina Wiggill To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] X-Mailer: TAPS Personalised Emailer X-Contentsilo: _generic_ X-Usersilo: hs X-Puid: 9f92e4f4a1a8151388652ad9179dcd5f X-Nuid: partOfYourLife X-Senddate: 2005-10-25 19:15 Content-Transfer-Encoding: 7bit X-Spam-Status: Yes, score=13.345 tag=3 tag2=7.5 kill=7.5 tests=[BAYES_99=5.4, DBL_12_LETTER_PGIMG=0.2, HTML_MESSAGE=0.001, MANGLED_FORM=2.3, MANGLED_HOME=2.3, MANGLED_MARKET=2.3, MANGLED_MEN=2.3, MANGLED_SHOP=2.3, MANGLED_YOUR=2.3, RCVD_IN_NJABL_DUL=1.946, RCVD_WHITELIST02=-8, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] X-Spam-Score: 13.345 X-Spam-Level: * X-Spam-Flag: YES Cami
RE: Sorta OT - was: RE: Out of Office AutoReply
- Original Message - >I'm trying to work in a broader context - I find OOO >replies annoying in any situation, not just those I get as >a result of my (or others) posting to a list. Certainly >sending OOO or vacation messages to a list is heinous, but >even those I get from people with whom I correspond >directly are quite annoying. I agree, yet they seem to serve a purpose. >Why don't they just set someone in their organization to >cover their emails for them? That would seem to be the >better part of customer service, I would think. I couldn't agree more with you. Unfortunatly the reality of today is that it is just not going to happen. We ourselves are a publicly funded institute. Due to government cutbacks there is never a replacement worker for someone unless the position demands a human being at the desk. As for emails, they forward or use automated messages or hand out their password. Security wise the forward or automated message is prefered and giving someone access to your email is just not recomended. = Kevin W. Gagel Network Administrator Information Technology Services (250) 562-2131 local 448 My Blog: http://mail.cnc.bc.ca/blogs/gagel --- The College of New Caledonia, Visit us at http://www.cnc.bc.ca Virus scanning is done on all incoming and outgoing email. Anti-spam information for CNC can be found at http://avas.cnc.bc.ca ---
Re: Sorta OT - was: RE: Out of Office AutoReply
On Tuesday 25 October 2005 18:58, [EMAIL PROTECTED] wrote: >Kurt Buff wrote: >> Differentiating between personal accounts and company email systems, >> how do you all classify OOO messages? >> >> For my personal account (on gmail.com) I consider these things spam, >> and report them to gmail as such. >> >> I haven't started to do anything with them at work, but was wondering >> if there were opinions WRT to this kind of email and how they should >> be handled. > >I think considering them spam is a little strong. > >Consider the POV of the email server whose local recipient is OoO. > >Ideally I think OoO should be an SMTP extension, reported to the sending > MTA at RCPT time. > >As a practical matter, I think if the received email passes an SPF > check, there should be no objections to sending an OoO reply. I don't do SPF's here, and have no intentions of putting up with them. I also don't further reply to someone who posts to a mailing list, and then refuses the replies his question generates. If he is so fscking paranoid, then let his question go un-answered, I don't have a quarter to call anyone who might care. Its not my problem, but his. And with the kmail sort to trash rule for OoO stuff, its generally not a problem until some clueless twit fires up one of them on a busy mailing list, like lkml, which can exceed 500 messages on some days. 500 OoO replies going back to the mailing list will usually get the perp banned, sometimes nicely, sometimes forever, like the twit who fired up a while true, send mail script against one of the usb support lists yesterday. I didn't actually count them, but would guess at over 1000 identical messages. Not OoO replies, just duplicate messages. He's gone forever I think. -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) 99.35% setiathome rank, not too shabby for a WV hillbilly Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
Re: Sorta OT - was: RE: Out of Office AutoReply
On Tuesday 25 October 2005 18:53, Kurt Buff wrote: >> - Original Message - >> From: [EMAIL PROTECTED] >> To: [EMAIL PROTECTED] >> Sent: Tuesday, October 25, 2005 5:47 PM >> Subject: Out of Office AutoReply: *SPAM* Re: Stupid spammer >> rule > >Let's take this one farther afield, shall we? > >Differentiating between personal accounts and company email systems, how > do you all classify OOO messages? > >For my personal account (on gmail.com) I consider these things spam, and >report them to gmail as such. > >I haven't started to do anything with them at work, but was wondering if >there were opinions WRT to this kind of email and how they should be >handled. > >Kurt I use kmail, and sort them directly to the trash folder. SA never gets a chance at them. -- Cheers, Gene "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) 99.35% setiathome rank, not too shabby for a WV hillbilly Yahoo.com and AOL/TW attorneys please note, additions to the above message by Gene Heskett are: Copyright 2005 by Maurice Eugene Heskett, all rights reserved.
Re: trusted_networks?
Cami wrote: Matt Kettler wrote: Cami wrote: I'm not treating them as such. All I'm trying to do is stop RBL checks happening for the 196.0.0.0/8 network. trusted_networks 196.0.0.0/8 165.165.0.0/16 165.146.0.0/16 internal_networks 196.2.50.0/24 I have done so, yet i still fail to see how the behavior mimics that of SA 2.64, both hosts in my trusted_networks and internal_network still get checked against RBLs. Cami Perhaps you'd consider sharing a copy of the received headers from an affected message so that we can do more than guess. Daryl
RE: Sorta OT - was: RE: Out of Office AutoReply
I'm trying to work in a broader context - I find OOO replies annoying in any situation, not just those I get as a result of my (or others) posting to a list. Certainly sending OOO or vacation messages to a list is heinous, but even those I get from people with whom I correspond directly are quite annoying. Why don't they just set someone in their organization to cover their emails for them? That would seem to be the better part of customer service, I would think. Kurt [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] wrote: > It should depend on the list rules. If the list rules > prohibit them then it should be treated as spam. > > If the list rules has nothing in them about these annoying > little creatures then the list owner should just suspend the > account. > > - Original Message - > From: Kurt Buff <[EMAIL PROTECTED]> > To: 'Fred' <[EMAIL PROTECTED]>, > users@spamassassin.apache.org > Subject: Sorta OT - was: RE: Out of Office AutoReply > Date: Tue, 25 Oct 2005 15:53:28 -0700 > > >> - Original Message - > >> From: [EMAIL PROTECTED] > >> To: [EMAIL PROTECTED] > >> Sent: Tuesday, October 25, 2005 5:47 PM > >> Subject: Out of Office AutoReply: *SPAM* Re: > >Stupid spammer rule > > > >Let's take this one farther afield, shall we? > > > >Differentiating between personal accounts and company email > >systems, how do you all classify OOO messages? > > > >For my personal account (on gmail.com) I consider these > >things spam, and report them to gmail as such. > > > >I haven't started to do anything with them at work, but was > >wondering if there were opinions WRT to this kind of email > >and how they should be handled. > > > >Kurt > > > > > > > > > > = > Kevin W. Gagel > Network Administrator > Information Technology Services > (250) 562-2131 local 448 > My Blog: > http://mail.cnc.bc.ca/blogs/gagel > > --- > The College of New Caledonia, Visit us at http://www.cnc.bc.ca > Virus scanning is done on all incoming and outgoing email. > Anti-spam information for CNC can be found at http://avas.cnc.bc.ca > --- >
Re: Sorta OT - was: RE: Out of Office AutoReply
[EMAIL PROTECTED] a écrit : I think considering them spam is a little strong. While it is not spam, it is undesirable and annoying. more annoying is the fact that this problem is known since a long time but people keep misconfiguring their systems (or reinventing broken vacation programs). Vacation messages: - should not be sent to mailing-lists, - should anyway be sent to the envelope sender (or return-path if generated after delivery) not the address retrieved in the From header - should only be sent when the recipient is in a To/CC/... header. See RFC 3834 for more recommendations. Here, we see two kinds: - some are sent directly to a poster, because they are sent to the address retrieved in the From header. but automatic responses are like DSNs, and should thus be sent to the envelope sender, which is generally retrieved in the Return-Path (and if not, the MTA should provide it to the vacation program). - some are sent to the list (not to the -owner) which is only found in To or CC headers. This is worst.
Re: Where do I change...
I was a binary program called MPP that is used to in conjunction with
scanners to filter email. I found out that the actual binary calls it
up and can't be changed without a recompile... that's as far as I got
so far anyways...
later
On 25-Oct-05, at 4:50 PM, Matt Kettler wrote:
Roland Corrigal wrote:
OK, I found out what was starting it now. Thanks for all your help! I
had to grep all of 'usr' to find it..
Was it Some kind of script in /usr/local/etc/? or was it something
weirder than
that? ("Enquiring minds want to know!")
Re: Sorta OT - was: RE: Out of Office AutoReply
It should depend on the list rules. If the list rules prohibit them then it should be treated as spam. If the list rules has nothing in them about these annoying little creatures then the list owner should just suspend the account. - Original Message - From: Kurt Buff <[EMAIL PROTECTED]> To: 'Fred' <[EMAIL PROTECTED]>, users@spamassassin.apache.org Subject: Sorta OT - was: RE: Out of Office AutoReply Date: Tue, 25 Oct 2005 15:53:28 -0700 >> - Original Message - >> From: [EMAIL PROTECTED] >> To: [EMAIL PROTECTED] >> Sent: Tuesday, October 25, 2005 5:47 PM >> Subject: Out of Office AutoReply: *SPAM* Re: >Stupid spammer rule > >Let's take this one farther afield, shall we? > >Differentiating between personal accounts and company email >systems, how do you all classify OOO messages? > >For my personal account (on gmail.com) I consider these >things spam, and report them to gmail as such. > >I haven't started to do anything with them at work, but was >wondering if there were opinions WRT to this kind of email >and how they should be handled. > >Kurt > > > > = Kevin W. Gagel Network Administrator Information Technology Services (250) 562-2131 local 448 My Blog: http://mail.cnc.bc.ca/blogs/gagel --- The College of New Caledonia, Visit us at http://www.cnc.bc.ca Virus scanning is done on all incoming and outgoing email. Anti-spam information for CNC can be found at http://avas.cnc.bc.ca ---
RE: Sorta OT - was: RE: Out of Office AutoReply
Kurt Buff wrote: > Differentiating between personal accounts and company email systems, > how do you all classify OOO messages? > > For my personal account (on gmail.com) I consider these things spam, > and report them to gmail as such. > > I haven't started to do anything with them at work, but was wondering > if there were opinions WRT to this kind of email and how they should > be handled. I think considering them spam is a little strong. Consider the POV of the email server whose local recipient is OoO. Ideally I think OoO should be an SMTP extension, reported to the sending MTA at RCPT time. As a practical matter, I think if the received email passes an SPF check, there should be no objections to sending an OoO reply. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
Sorta OT - was: RE: Out of Office AutoReply
> - Original Message - > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Sent: Tuesday, October 25, 2005 5:47 PM > Subject: Out of Office AutoReply: *SPAM* Re: Stupid spammer rule Let's take this one farther afield, shall we? Differentiating between personal accounts and company email systems, how do you all classify OOO messages? For my personal account (on gmail.com) I consider these things spam, and report them to gmail as such. I haven't started to do anything with them at work, but was wondering if there were opinions WRT to this kind of email and how they should be handled. Kurt
Re: Where do I change...
Roland Corrigal wrote:
> OK, I found out what was starting it now. Thanks for all your help! I
> had to grep all of 'usr' to find it..
>
Was it Some kind of script in /usr/local/etc/? or was it something weirder than
that? ("Enquiring minds want to know!")
Re: Where do I change...
OK, I found out what was starting it now. Thanks for all your help! I had to grep all of 'usr' to find it.. On 25-Oct-05, at 4:22 PM, Roland Corrigal wrote: That's the funny thing... There is no direct 'spamassassin' or 'spamd' script in the init directory, and I did do a "grep -r spamd /etc/" and it didn't find it anywhere relevant. I installed it from Perl. It's seems to be somehow starting up with 'amavisd'. I've searched all of those files and found no instances of spamd in their config and executable files either. I'm running Red Hat 8. Thanks! On 25-Oct-05, at 4:13 PM, Matt Kettler wrote: On most sites it starts via /etc/init.d/spamassassin or /etc/ init.d/spamd. However, it could be started via anything. It all depends on how it was set up. I can hand-hack a startup for it into almost anything in the whole bootup if I wanted, and if it's been hand-hacked you might just need to do a "grep -r spamd /etc/*" Do you know how SA was installed (distro package, source tarball)? Heck, for that matter what OS are you running? (I'm looking for distro and version, not "Linux", as this might give some hints about what your general startup structure looks like. Not all Linux is the same here, much less all *nix) Roland Corrigal wrote: Sorry for another email, I meant.. "can't find how it starts up" Thanks again, RC Where do I change the user that spamd starts up with... I searched all my startup scripts and can find how it even starts up. Thanks, RC
Re: Where do I change...
That's the funny thing... There is no direct 'spamassassin' or 'spamd' script in the init directory, and I did do a "grep -r spamd /etc/" and it didn't find it anywhere relevant. I installed it from Perl. It's seems to be somehow starting up with 'amavisd'. I've searched all of those files and found no instances of spamd in their config and executable files either. I'm running Red Hat 8. Thanks! On 25-Oct-05, at 4:13 PM, Matt Kettler wrote: On most sites it starts via /etc/init.d/spamassassin or /etc/init.d/ spamd. However, it could be started via anything. It all depends on how it was set up. I can hand-hack a startup for it into almost anything in the whole bootup if I wanted, and if it's been hand-hacked you might just need to do a "grep -r spamd /etc/*" Do you know how SA was installed (distro package, source tarball)? Heck, for that matter what OS are you running? (I'm looking for distro and version, not "Linux", as this might give some hints about what your general startup structure looks like. Not all Linux is the same here, much less all *nix) Roland Corrigal wrote: Sorry for another email, I meant.. "can't find how it starts up" Thanks again, RC Where do I change the user that spamd starts up with... I searched all my startup scripts and can find how it even starts up. Thanks, RC
SARE german rules version 1.00
Hello list, I tried hard to receive more german text SPAM, and succeeded :-) Therefore, I was able to start to write german text based rules, which I put in an extra file. This file already contains the actual netbanking.at phishing rules, and should be quite helpful. I'd like to make it available on SARE, and maintain it. Hopefully others will contribute. Who should I speak with? mfg zmi -- // Michael Monnerie, Ing.BSc --- it-management Michael Monnerie // http://zmi.at Tel: 0660/4156531 Linux 2.6.11 // PGP Key: "lynx -source http://zmi.at/zmi2.asc | gpg --import" // Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879 // Keyserver: www.keyserver.net Key-ID: 0x70545879 pgpGNJmu0wwRJ.pgp Description: PGP signature
Re: Where do I change...
On most sites it starts via /etc/init.d/spamassassin or /etc/init.d/spamd. However, it could be started via anything. It all depends on how it was set up. I can hand-hack a startup for it into almost anything in the whole bootup if I wanted, and if it's been hand-hacked you might just need to do a "grep -r spamd /etc/*" Do you know how SA was installed (distro package, source tarball)? Heck, for that matter what OS are you running? (I'm looking for distro and version, not "Linux", as this might give some hints about what your general startup structure looks like. Not all Linux is the same here, much less all *nix) Roland Corrigal wrote: > Sorry for another email, I meant.. "can't find how it starts up" > > Thanks again, > RC > >> >> Where do I change the user that spamd starts up with... I searched >> all my startup scripts and can find how it even starts up. >> >> Thanks, >> RC >> >
Re: Stupid spammer rule
Fred wrote: > Hrmm something is wrong here, I updated this file on 10/14/2005 the very > first day I seen this sign. What date are you showing on your copy of the > random file? > > I also updated this file this morning to increase the score for this rule > but I forgot to change the last modified date and also forgot to do the > version #.. I just resent the file with updated version numbers 10 minutes > ago, the rule has been here for 10 days, it's called: > header SARE_RAND_NAME1 ALL =~ /%(?:NAME|MAIL)_(?:FROM|TO)/ > score SARE_RAND_NAME1 3.455 > Sorry fred, This is two cases of "my bad". First, I was foolish enough to trust the date on the rulesemporium website, which claims the last update was a year and a half ago: Created by: Fred Tarasevicius with contributions (too many to list!) License Type: Artistic/GPL dual Status: Active * Last update: 2004-05-17 Version: 01.30.01 (from http://www.rulesemporium.com/rules.htm) The file itself has been updated. My local version hasn't been updated recently, since when I browse rulesemporium.com it tells me there is no update to be had. Second, even though I looked at the copy on the rulesemporium website, I failed to notice the date mismatch, and failed to notice the new rule despite searching for it. (I searched for NAME_, which wouldn't find the above). Suggested action item for SARE: If you can't synch the "Last Update" for rules.htm, with the files, remove it. It's better to say nothing than to present blatantly wrong information.
auto-spammer [Was: Fabrice LEGRAND/GIA est absent(e).]
[EMAIL PROTECTED] a écrit : Je serai absent(e) du 24/10/2005 au 28/10/2005. So they - autorespond to mailing lists, - could set the date, but not the gender (see the '(e)')... - and include 13 silly disclaimer lines for 2 lines of text but now the best (I'll ignore some sentences that are plain garbage too) Si vous le recevez par erreur, merci d'en avertir l'expéditeur et de le détruire. This translates to "if you get the message by error, inform the sender and destroy _him_". Do they reimburse the weapons? also, how can a company named apriaRSA.fr say: The Internet can not guarantee the integrity of this message. (of course their "rsa" has nothing to do with crypto:)
RE: Where do I change...
Sorry for another email, I meant.. "can't find how it starts up" Thanks again, RC Where do I change the user that spamd starts up with... I searched all my startup scripts and can find how it even starts up. Thanks, RC
Where do I change...
Where do I change the user that spamd starts up with... I searched all my startup scripts and can find how it even starts up. Thanks, RC
Fw: Out of Office AutoReply: *****SPAM***** Re: Stupid spammer rule
Title: Out of Office AutoReply: *SPAM* Re: Stupid spammer rule Can we have this account removed from the list... - Original Message - From: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, October 25, 2005 5:47 PM Subject: Out of Office AutoReply: *SPAM* Re: Stupid spammer rule I am currently out of the office and will return on October 31st. If you have any urgent matters, please email [EMAIL PROTECTED] and they will forward you to the appropriate person. iVillage Inc., 500 Seventh Avenue, New York, NY 10018 - iVillage Inc. is a leading women's media company that includes iVillage.com, Women.com, gURL.com, Astrology.com, Promotions.com, iVillage Parenting Network, The Newborn Channel, Lamaze Publishing, Business Women's Network, Diversity Best Practices, Best Practices in Corporate Communications, Healthology Inc., and iVillage Consulting. The information contained in this communication may be confidential, is intended only for the use of the recipient named above, and may be construed under applicable law to be a commercial email. If you have received this communication in error, please delete this message from your computer system. If you are the recipient named above and do not wish to receive any future commercial emails, please reply to the sender with a message stating such preference. (M1)
Re: Stupid spammer rule
Hrmm something is wrong here, I updated this file on 10/14/2005 the very
first day I seen this sign. What date are you showing on your copy of the
random file?
I also updated this file this morning to increase the score for this rule
but I forgot to change the last modified date and also forgot to do the
version #.. I just resent the file with updated version numbers 10 minutes
ago, the rule has been here for 10 days, it's called:
header SARE_RAND_NAME1 ALL =~ /%(?:NAME|MAIL)_(?:FROM|TO)/
score SARE_RAND_NAME1 3.455
Matt Kettler wrote:
> Currently 70_sare_random.cf is rather old and doesn't contain any
> rules for
> these variants.
>
> It's got %FROM_NAME, but not %NAME_FROM. It doesn't have anything
> close to %NAME_TO.
>
> Perhaps Fred Tarasevicius needs to make an update.
>
> Adding NAME_FROM is easy:
> header __RANDH_7B ALL =~ /%FROM_NAME/
> rawbody __RANDR_7B /%FROM_NAME/
>
> Would be replaced by:
> header __RANDH_7B ALL =~ /%(?:FROM_NAME|NAME_FROM)/
> rawbody __RANDR_7B /%(?:FROM_NAME|NAME_FROM)/
>
>
> M.Lewis wrote:
>> Are you using 70_sare_random.cf ?
>>
>> 70_sare_random.cf
>> Description: 70_sare_random.cf tries to detect common mis-fires
>> on bulk mail software. Many signs are found like: %RND_NUMBER, etc
>>
>> Mike
>>
>> Kenneth Porter wrote:
>>
>>> Been getting a few of these:
>>>
>>> From: "{%NAME_FROM}" <[EMAIL PROTECTED]>
>>> To: "{%NAME_TO}" <[EMAIL PROTECTED]>
>>>
>>> Anyone have a rule to nuke them?
Fabrice LEGRAND/GIA est absent(e).
Je serai absent(e) du 24/10/2005 au 28/10/2005. Je répondrai à votre message dès mon retour. Ce message et toutes les pièces jointes sont établis à l'intention exclusive de ses destinataires et sont confidentiels. Si vous le recevez par erreur, merci d'en avertir l'expéditeur et de le détruire. Toute utilisation de ce message non conforme à sa destination, toute diffusion ou publication, totale ou partielle, est interdite, sauf autorisation expresse de l'expéditeur. L'Internet ne permettant pas d'assurer l'intégrité de ce message, l'expéditeur décline toute responsabilité au titre de ce message, dans l'hypothèse où il aurait été modifié. This message and any attachments are exclusively intended for the addressees and are confidential. If you receive it in error, please notify it to the sender and delete it. Any use not in accord with its purpose, any dissemination or disclosure, either whole or partial, is prohibited except formal approval by the sender. The Internet can not guarantee the integrity of this message.The sender shall not therefore be liable for the message if modified.
Re: trusted_networks?
Matt Kettler wrote: Cami wrote: I'm not treating them as such. All I'm trying to do is stop RBL checks happening for the 196.0.0.0/8 network. Yes you are. You're trying to use them as an RBL whitelist, and it doesn't work that way. You can use them to deal with the DUL RBLs, but these settings will not offer you any exception to normal RBLS. Period. Why can't v3.1 do this when v2.64 did? According to the docs: Trusted relays that accept mail directly from dial-up connections should not be listed in internal_networks. List them only in trusted_networks. Fix your trusted_networks and internal_networks accordingly. And do NOT list the dialup source. Put your MX in trusted_networks, and make sure it's not in internal_networks. I've tried that already. If i remove 'internal_networks' completely, RBL looks still occur for the 196.x.x.x range. If you have no internal networks declaration SA will use the values in trusted_networks as your internal_networks. Neither trusted_networks or internal_networks can ever be empty. They must have a value. If you don't declare one, SA will make educated guesses. Makes sense. So, as I said before, fix your trusted_networks and internal_networks accordingly. Don't try to remove either setting. Define them, but define them with the correct values for your network. trusted_networks 196.0.0.0/8 165.165.0.0/16 165.146.0.0/16 internal_networks 196.2.50.0/24 Oct 25 21:49:10 spamwall12.mweb.co.za amavis[23288]: (23288-01-53) SPAM, <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, Yes, Hits=26.274 tag1=3.0 tag2=7.5 kill=7.5, tests=BAYES_99=5.4,BODY_ENHANCEMENT2=0.736,DCC_CHECK=4,FB_ENLARGE_MEMBER=3,HELO_DYNAMIC_IPADDR2=3.818,INFO_TLD=1.273,RCVD_IN_BL_SPAMCOP_NET=2,RCVD_IN_SORBS_SOCKS=2.159,SARE_ADULT2=1.666,SARE_ENLRGYOUR=2.222, [196.7.18.34], quarantine: w24XCUAGg2Dm Oct 25 21:52:29 spamwall12.mweb.co.za amavis[23293]: (23293-01-89) CLEAN, <[EMAIL PROTECTED]> -> <[EMAIL PROTECTED]>, Message-ID: <[EMAIL PROTECTED]>, Hits=-4.009 tag1=3.0 tag2=7.5 kill=7.5, tests=HTML_MESSAGE=0.001,RCVD_IN_NJABL_DUL=1.946,RCVD_IN_SORBS_DUL=2.046,RCVD_WHITELIST02=-8,SPF_HELO_PASS=-0.001,SPF_PASS=-0.001, [196.2.50.73] I have done so, yet i still fail to see how the behavior mimics that of SA 2.64, both hosts in my trusted_networks and internal_network still get checked against RBLs. Cami
Re: Stupid spammer rule
Currently 70_sare_random.cf is rather old and doesn't contain any rules for
these variants.
It's got %FROM_NAME, but not %NAME_FROM. It doesn't have anything close to
%NAME_TO.
Perhaps Fred Tarasevicius needs to make an update.
Adding NAME_FROM is easy:
header __RANDH_7B ALL =~ /%FROM_NAME/
rawbody __RANDR_7B /%FROM_NAME/
Would be replaced by:
header __RANDH_7B ALL =~ /%(?:FROM_NAME|NAME_FROM)/
rawbody __RANDR_7B /%(?:FROM_NAME|NAME_FROM)/
M.Lewis wrote:
> Are you using 70_sare_random.cf ?
>
> 70_sare_random.cf
> Description: 70_sare_random.cf tries to detect common mis-fires on
> bulk mail software. Many signs are found like: %RND_NUMBER, etc
>
> Mike
>
> Kenneth Porter wrote:
>
>> Been getting a few of these:
>>
>> From: "{%NAME_FROM}" <[EMAIL PROTECTED]>
>> To: "{%NAME_TO}" <[EMAIL PROTECTED]>
>>
>> Anyone have a rule to nuke them?
>>
>>
>
Re: trusted_networks?
Cami wrote: > Matt Kettler wrote: > >> >> First, neither trusted nor internal networks is a whitelist. Don't try >> to treat >> them as such. > > > I'm not treating them as such. All I'm trying to do is stop > RBL checks happening for the 196.0.0.0/8 network. Yes you are. You're trying to use them as an RBL whitelist, and it doesn't work that way. You can use them to deal with the DUL RBLs, but these settings will not offer you any exception to normal RBLS. Period. > >> According to the docs: >> >> Trusted relays that accept mail directly from dial-up connections >> should not be >> listed in internal_networks. List them only in trusted_networks. >> >> >> Fix your trusted_networks and internal_networks accordingly. And do >> NOT list the >> dialup source. Put your MX in trusted_networks, and make sure it's not in >> internal_networks. > > > I've tried that already. If i remove 'internal_networks' > completely, RBL looks still occur for the 196.x.x.x range. If you have no internal networks declaration SA will use the values in trusted_networks as your internal_networks. Neither trusted_networks or internal_networks can ever be empty. They must have a value. If you don't declare one, SA will make educated guesses. So, as I said before, fix your trusted_networks and internal_networks accordingly. Don't try to remove either setting. Define them, but define them with the correct values for your network.
Re: Stupid spammer rule
Are you using 70_sare_random.cf ?
70_sare_random.cf
Description: 70_sare_random.cf tries to detect common mis-fires on
bulk mail software. Many signs are found like: %RND_NUMBER, etc
Mike
Kenneth Porter wrote:
Been getting a few of these:
From: "{%NAME_FROM}" <[EMAIL PROTECTED]>
To: "{%NAME_TO}" <[EMAIL PROTECTED]>
Anyone have a rule to nuke them?
Re: trusted_networks?
Matt Kettler wrote: First, neither trusted nor internal networks is a whitelist. Don't try to treat them as such. I'm not treating them as such. All I'm trying to do is stop RBL checks happening for the 196.0.0.0/8 network. According to the docs: Trusted relays that accept mail directly from dial-up connections should not be listed in internal_networks. List them only in trusted_networks. Fix your trusted_networks and internal_networks accordingly. And do NOT list the dialup source. Put your MX in trusted_networks, and make sure it's not in internal_networks. I've tried that already. If i remove 'internal_networks' completely, RBL looks still occur for the 196.x.x.x range. Only reason i added the same the data to internal_networks is because trusted_networks was not working. Cami
Stupid spammer rule
Been getting a few of these:
From: "{%NAME_FROM}" <[EMAIL PROTECTED]>
To: "{%NAME_TO}" <[EMAIL PROTECTED]>
Anyone have a rule to nuke them?
Re: How to disable a ruleset?
OK !! Thanks everyone for the tips !! Regards, Carlos. 2005/10/25, Matt Kettler <[EMAIL PROTECTED]>: > Carlos Zottmann wrote: > > Hi!! > > > > We are using amavisd-new indeed, and that was the problem. > > > > Doing a "ps aux | grep spam", i get just the processes below, wich are > > started by a "spamassassin" service that we have on /etc/initd. > > > > spamd15804 0.0 1.6 30868 24992 ? Ss Oct21 0:00 > > /usr/bin/spamd -x -u spamd -H /home/spamd -d > > spamd15809 0.0 1.6 30868 24992 ? SOct21 0:00 spamd child > > spamd15810 0.0 1.6 30868 24992 ? SOct21 0:00 spamd child > > spamd15811 0.0 1.6 30868 24992 ? SOct21 0:00 spamd child > > spamd15812 0.0 1.6 30868 24992 ? SOct21 0:00 spamd child > > spamd15813 0.0 1.6 30868 24992 ? SOct21 0:00 spamd child > > > > How does amavisd-new daemonizes spamassassin? > > It does so internally. Amavisd-new is a perl application, and it internally > contains a Mail::SpamAssassin object. Thus, every Amavisd acts as it's own > spamd. > > You should kill your "spamassassin" service. It's only wasting memory. > > >
Re: How to disable a ruleset?
Carlos Zottmann wrote: > Hi!! > > We are using amavisd-new indeed, and that was the problem. > > Doing a "ps aux | grep spam", i get just the processes below, wich are > started by a "spamassassin" service that we have on /etc/initd. > > spamd15804 0.0 1.6 30868 24992 ? Ss Oct21 0:00 > /usr/bin/spamd -x -u spamd -H /home/spamd -d > spamd15809 0.0 1.6 30868 24992 ? SOct21 0:00 spamd child > spamd15810 0.0 1.6 30868 24992 ? SOct21 0:00 spamd child > spamd15811 0.0 1.6 30868 24992 ? SOct21 0:00 spamd child > spamd15812 0.0 1.6 30868 24992 ? SOct21 0:00 spamd child > spamd15813 0.0 1.6 30868 24992 ? SOct21 0:00 spamd child > > How does amavisd-new daemonizes spamassassin? It does so internally. Amavisd-new is a perl application, and it internally contains a Mail::SpamAssassin object. Thus, every Amavisd acts as it's own spamd. You should kill your "spamassassin" service. It's only wasting memory.
Re: Using spam tools for viruses
On Mon, 24 Oct 2005, [EMAIL PROTECTED] whispered secretively: > I'm not sure what the SA folks think about this now a days. A while > back, they removed the checks for MS executables as being spam > indicators even though the test actually is a very good indicator of > spam. That's because it didn't work very well. The new AntiVirus plugin does a much better job, but note that it is *not* an antivirus plugin despite the name: it's a suspect-extension-and-content-type detector, so if your users are in the habit of mailing executables or PowerPoint documents or things of that nature around, the plugin will cause FPs. > Instead, SA is detecting email worms via the Bayesian analysis, > detecting keywords that match MS executables, even though it doesn't > do anywhere near as good a job. That's because there aren't many such keywords. > Email worms are one of the most dangerous and destructive forms of > UBE. They directly lead to open proxies that are used for "regular" > spam. IMHO, they should be paid *more* attention to than "regular" > spam, not less. The problem is that the properties of worms are totally different to the properties of spam. Spam is wildly variable but intended to contain components that are read by human beings, and the vast majority of SpamAssassin's rules look for things on that basis. Worms are vast lumps of mostly-invariant binary data: the regex rules, the URIBL system, and the Bayesian analyzer are mostly useless on them, and that doesn't really leave very much bar header analysis (and half of those rules are useless on worms too). SA has *no* facilities for spotting patterns in big lumps of binary data, let alone automated partial disassembly and static behavioural analysis routines, unpackers for UPX and OLE unpackers and so on, like many virus scanners have. There is almost no overlap between the jobs they have to do, or between the nature of the emails they trap. Plus, even with the sa-update system, worms change so fast that, with SA's regex matching and URIBL rendered useless by the binary-lump nature of worms, SA would never spot most new worms. (The only reason it spots most spam is because rules that caught old spam often catch new spam too. Rules meant to catch old worms pretty much *never* catch new ones unless, like the MICROSOFT_EXECUTABLE rule, they're so general that they could easily catch lots of stuff that isn't wormy as well.) Plus, worms are often so large that scanning them with SA is astonishingly inefficient. SA is many, many times slower than a dedicated tool like clamav and can never do as good a job as one of them. SA would need *tens of thousands* of individually crafted anti-worm rules to do as good a job as clamav --- and that's *orders of magnitude* more rules than SA has right now. It'd become unimaginably slow and immensely bloated, and would *still* do a bad job. So even though they're UBE, executable lumps aren't something that SA can efficiently spot. (Equally, though, sometimes antivirus tools like clamav start attacking things that perhaps they shouldn't: clamav catches some phishing scams, so those of us with corpuses have had to stop it rejecting such mails lest it bias the corpuses, as SA *is* intended to catch phish.) -- `"Gun-wielding recluse gunned down by local police" isn't the epitaph I want. I am hoping for "Witnesses reported the sound up to two hundred kilometers away" or "Last body part finally located".' --- James Nicoll
Re: How to disable a ruleset?
Hi!!
We are using amavisd-new indeed, and that was the problem.
Doing a "ps aux | grep spam", i get just the processes below, wich are
started by a "spamassassin" service that we have on /etc/initd.
spamd15804 0.0 1.6 30868 24992 ? Ss Oct21 0:00
/usr/bin/spamd -x -u spamd -H /home/spamd -d
spamd15809 0.0 1.6 30868 24992 ? SOct21 0:00 spamd child
spamd15810 0.0 1.6 30868 24992 ? SOct21 0:00 spamd child
spamd15811 0.0 1.6 30868 24992 ? SOct21 0:00 spamd child
spamd15812 0.0 1.6 30868 24992 ? SOct21 0:00 spamd child
spamd15813 0.0 1.6 30868 24992 ? SOct21 0:00 spamd child
How does amavisd-new daemonizes spamassassin?
Thanks again,
Carlos.
2005/10/24, jdow <[EMAIL PROTECTED]>:
> From: "Carlos Zottmann" <[EMAIL PROTECTED]>
>
> Hi !!
>
> I have added a ruleset named br_rules.cf, by saving it in the
> /etc/mail/spamassassin directory.
>
> I though that this ruleset, though, was not nice enough, and deleted
> it from the above directory, stopped and started spamd again.
>
> Verifying the messages detected as spam after that, I noticed that
> some rules are still being matched by spamassassin (ex: X-Spam-Status:
> Yes, , BR_ADJUST_2=2, BR_CLIQUE_AQUI=1.8, ...])
>
> << It's gone. If you are running amavis, mailscanner, or some other
> << tool that itself daemonizes SpamAssassin you must not run spamd
> << and you must restart that tool instead.
>
> {^_^}
>
>
Re: trusted_networks?
Cami wrote: > Hi All, > > I'm using SpamAssassin v3.1.0 and amavisd-new 2.3.3. > > Oct 23 15:59:53 spamwall03.mweb.co.za amavis[32425]: (32425-01-69) SPAM, > <[EMAIL PROTECTED]> -> <<[EMAIL PROTECTED]>, Yes, Hits=7.734 > tag1=3.0 tag2=7.5 kill=7.5, > tests=DATE_IN_FUTURE_06_12=1.668,FM_NO_STYLE=0.9,HTML_40_50=0.496,HTML_MESSAGE=0.001,J_CHICKENPOX_43=0.6,RCVD_IN_NJABL_DUL=1.946,RCVD_IN_SORBS_DUL=2.046,TW_KM=0.077, > [196.25.240.86] > > I have tried a variety of combinations to produce the same > behavior as SpamAssassin v2.64 but i am unable to get > SA v3.1 to stop doing RBL lookups for specific ip ranges. > > From /etc/mail/spamassassin/local.cf > .. > # TRUSTED NETWORKS > trusted_networks 196.0.0.0/8 > internal_networks 196.0.0.0/8 First, neither trusted nor internal networks is a whitelist. Don't try to treat them as such. According to the docs: Trusted relays that accept mail directly from dial-up connections should not be listed in internal_networks. List them only in trusted_networks. Fix your trusted_networks and internal_networks accordingly. And do NOT list the dialup source. Put your MX in trusted_networks, and make sure it's not in internal_networks.
RE: spamd --max-spare ignored
Robert Blayzor wrote: > [EMAIL PROTECTED] wrote: >> I'm running spamd with --max-spare, but as soon as I start it, it >> spawns --max-children children and keeps it there. >> ... >> --round-robin \ ... >> --max-spare=5 \ ... > Because you have specified "--round-robin". That tells spamd to use > the "old way" of forking processes. That did it, thanks. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
Re: spamd --max-spare ignored
[EMAIL PROTECTED] wrote: > I'm running spamd with --max-spare, but as soon as I start it, it spawns > --max-children children and keeps it there. > > I'm running 3.10 with these options: > > /usr/bin/spamd \ > --daemonize \ > --username=spamd \ > --round-robin \ > --max-children=20 \ > --max-spare=5 \ > --socketpath=/var/run/spam/spamd.sock \ > --pidfile=/var/run/spam/spamd.pid > > Are any of my settings incorrect? Or could this be a bug? Because you have specified "--round-robin". That tells spamd to use the "old way" of forking processes. -- Robert Blayzor, BOFH INOC, LLC rblayzor\@(inoc.net|gmail.com) PGP: http://www.inoc.net/~dev/ Key fingerprint = 1E02 DABE F989 BC03 3DF5 0E93 8D02 9D0B CB1A A7B0 A list is only as strong as its weakest link. - Don Knuth
spamd --max-spare ignored
I'm running spamd with --max-spare, but as soon as I start it, it spawns --max-children children and keeps it there. I'm running 3.10 with these options: /usr/bin/spamd \ --daemonize \ --username=spamd \ --round-robin \ --max-children=20 \ --max-spare=5 \ --socketpath=/var/run/spam/spamd.sock \ --pidfile=/var/run/spam/spamd.pid Are any of my settings incorrect? Or could this be a bug? -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
RE: POP3 proxy with SA 3.x?
Hi, I think you should check out P3Scan. It works fine for me. Raimonds -Original Message- From: Paolo Cravero as2594 [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 25, 2005 3:23 PM To: SpamAssassin Users Subject: POP3 proxy with SA 3.x? Hi, I have successfully used a Perl POP3proxy on a Linux box with SA 2.6.x . I have now migrated to 3.x, and some internal functions have been dropped or renamed, so that Perl program doesn't work anymore. Does anyone know of a (Linux) POP3 proxy that supports SA 3.x? TIA, Paolo
POP3 proxy with SA 3.x?
Hi, I have successfully used a Perl POP3proxy on a Linux box with SA 2.6.x . I have now migrated to 3.x, and some internal functions have been dropped or renamed, so that Perl program doesn't work anymore. Does anyone know of a (Linux) POP3 proxy that supports SA 3.x? TIA, Paolo
trusted_networks?
Hi All, I'm using SpamAssassin v3.1.0 and amavisd-new 2.3.3. Oct 23 15:59:53 spamwall03.mweb.co.za amavis[32425]: (32425-01-69) SPAM, <[EMAIL PROTECTED]> -> <<[EMAIL PROTECTED]>, Yes, Hits=7.734 tag1=3.0 tag2=7.5 kill=7.5, tests=DATE_IN_FUTURE_06_12=1.668,FM_NO_STYLE=0.9,HTML_40_50=0.496,HTML_MESSAGE=0.001,J_CHICKENPOX_43=0.6,RCVD_IN_NJABL_DUL=1.946,RCVD_IN_SORBS_DUL=2.046,TW_KM=0.077, [196.25.240.86] I have tried a variety of combinations to produce the same behavior as SpamAssassin v2.64 but i am unable to get SA v3.1 to stop doing RBL lookups for specific ip ranges. From /etc/mail/spamassassin/local.cf .. # TRUSTED NETWORKS trusted_networks 196.0.0.0/8 internal_networks 196.0.0.0/8 .. What am i missing? Regardless of what i try, "RCVD_IN_NJABL_DUL=1.946,RCVD_IN_SORBS_DUL" are getting hit every time. Cami
