Re: any extra language effort for SA? (esp. Asian SPAM)
Jason Haar wrote: Hi there I just did a stat-run on email I received 31st Oct, and found that of the mail SA scored lower than 5/5 (i.e. SA classified as ham), a large amount was SPAM. In fact it only caught 80% of the SPAM I received that day (this is with SA 3.1.0) Of that I was able to tell that the vast majority of missed SPAM was actually Asian SPAM - the Subject: lines alone were 100% non-ASCII - bit of a give-away as I am ignorant and can't speak anything but Kiwi-English ;-) If I removed that Asian SPAM from the figures, the effectiveness of SA shot up to 98% - pretty darn good! Now personally I can run SA on my workstation with ok_locales en and bang extra points onto non-English mail - but I certainly can't do that for our company as a whole - which has customers from every country/nationality, etc. So the only thing I can think of is that there appears to be a need for more non-English rulesets to add points for different language usages of viagra/porn/whatever. Am I correct in my thinking, and if so is the SA group getting help from non-English developers to make this happen? I see a couple of body_test rules that appear to be for Spanish and Polish - but no others? Jason, I know that I have personally contributed some rules to catch certain phrases in Japanese, however this seems like a really scenario for manual bayes training. While the auto-learning is convenient and often good enough, I think the general concensus is that you should do at least a certain bit of manual training so that your bayes databases better represent your mail traffic patterns. hope this helps, alan
RE: Why did this mail get any score at all?
Mathias Homann wrote: Hi, here's the headers of a mail that got scored (ok, not very high but it should get no score at all): X-Spam-Status: No, score=1.7 required=5.0 tests=ALL_TRUSTED,BAYES_00, DCC_CHECK,SUBJECT_EXCESS_QP autolearn=no version=3.1.0 Why should it get no score at all? SA will always assign a score. If it scored well below your threshold and it wasn't spam, then SA classified it correctly. If you are trying to minimize the score for your own bulk mailing, then you should be concerned about SUBJECT_EXCESS_QP. In this case, the subject Karriere-Journal: Eingewaehlt und abgezockt contains only ASCII characters, and ddi not require special coding. The SUBJECT_EXCESS_QP test looks for quoted-printable coding and the absence of quoted characters: header __SUBJECT_ENCODED_QPSubject:raw =~ /=\?\S+\?Q\?/i header __SUBJECT_NEEDS_MIMESubject =~ /[\x00-\x08\x0b\x0c\x0e-\x1f\x7f-\xff]/ meta SUBJECT_EXCESS_QP __SUBJECT_ENCODED_QP !__SUBJECT_NEEDS_MIME You would expect DCC when sending bulk mail, and BAYES and ALL_TRUSTED will depend on the recipient's configuration. mfg Pierre
RE: Why did this mail get any score at all?
Pierre Thomson wrote: If you are trying to minimize the score for your own bulk mailing, then you should be I am not. I was just wondering about the scores that that mail has got, as well as a bit concerned about the fact that after upgrading to SA 3.1.0 i get all kind of weird results, for example two spam mails that both took the same way to my mailserver (smtp from some box to the MX for my domain, then pop3 from that mx to localhost, then another hop on localhost due to virus scanning) get different scores for ALL_TRUSTED, one gets a negative score based on ALL_TRUSTED and the othr doesnt. So right now i'm looking at SA results much more closely than I used to. concerned about SUBJECT_EXCESS_QP. In this case, the subject Karriere-Journal: Eingewaehlt und abgezockt contains only ASCII characters, and ddi not require special coding. The SUBJECT_EXCESS_QP test looks for quoted-printable coding and the absence of quoted characters: ok, that makes sense. And because that newsletter is not being sent / managed by me, i couldn't care less in this case ;) bye, MH
Re: Why did this mail get any score at all?
At 01:23 AM 11/4/2005, Mathias Homann wrote: Hi, here's the headers of a mail that got scored (ok, not very high but it should get no score at all): snip What really bugs me are the scores for ALL_TRUSTED and SUBJECT_EXCESS_QP. Why does the score for ALL_TRUSTED bug you here? that's a NEGATIVE scoring rule. As for SUBJECT_EXCESS_QP, that rule is disabled by default in SA 3.1.0.. so perhaps you should ask yourself why you turned it on by forcing a nonzero score. From SA 3.1.0's 50_scores.cf: score SUBJECT_EXCESS_QP 0 (A score of 0 completely disables a rule)
Re: Why did this mail get any score at all?
In a message dated 11/4/2005 9:14:00 AM Eastern Standard Time, [EMAIL PROTECTED] writes: What really bugs me are the scores for ALL_TRUSTED andSUBJECT_EXCESS_QP.Why does the score for ALL_TRUSTED bug you here? that's a NEGATIVE scoring rule. I ran into a similar situation. I have no trusted or untrusted hosts defined but the ALL_TRUSTED object triggers and lowers the spam score any way. Rich DygertCompuServe classic email SA614-538-4518
Custom rule
Hi, I'm no expert in creating rules - so hopefully someone can help me with this simple one: I want to assign a negative score for all mails, that has the text JGH Ref.: xxx
Custom rule
Hi, I'm no expert in creating rules - so hopefully someone can help me with this simple one: I want to assign a negative score for all mails, that has the text JGH Ref.: xxx Present in the subject ( where xx can be a series of numbers, that is 1-6 digits). It doesn't matter if other text is present on either side of this match... Anyone ? Regards, /Brian
Re: Why did this mail get any score at all?
At 09:38 AM 11/4/2005, [EMAIL PROTECTED] wrote: In a message dated 11/4/2005 9:14:00 AM Eastern Standard Time, [EMAIL PROTECTED] writes: What really bugs me are the scores for ALL_TRUSTED and SUBJECT_EXCESS_QP. Why does the score for ALL_TRUSTED bug you here? that's a NEGATIVE scoring rule. I ran into a similar situation. I have no trusted or untrusted hosts defined but the ALL_TRUSTED object triggers and lowers the spam score any way. You can *NEVER* have no trusted hosts.. Period. If you don't declare a trusted_networks, SA will auto-guess one for you.
Re: Custom rule
Brian Ipsen wrote: Hi, I'm no expert in creating rules - so hopefully someone can help me with this simple one: I want to assign a negative score for all mails, that has the text JGH Ref.: xxx body LOCAL_JGH /\bJGH Ref\.: xxx\b/ describe LOCAL_JGH Has special reference code score LOCAL_JGH -1.0 However, I assume you'll need something other than xxx in there.. Is it numbers? Alphanumeric? Is it always the same length? Here's a variant assuming it's always a 7-digit number: body LOCAL_JGH /\bJGH Ref\.: \d{7}\b/ Here's one assuming a 5-8 digit alphanumeric (underscores allowed too, but no other punctuation) body LOCAL_JGH /\bJGH Ref\.: \w{5,8}\b/
Logging/stats
I am using the single user unix instialltion and version 3.1.0, on a RHEL 3 machine, I am able to get spamassassin to work, but i'm unable to get it to log when it catches things as spam, and when its clean, i'm wanting to to an mrtg for my users to see how much spam has come to the server. All that is logging under debug mode is attached. I've looked and tried everything i can find but can't figure out how to get those stats to show up. -- Regards Chris Nov 4 10:19:59 abuse spamd[15398]: prefork: new lowest idle kid: 15413 Nov 4 10:19:59 abuse spamd[15398]: spamd: handled cleanup of child pid 15414 due to SIGCHLD Nov 4 10:19:59 abuse spamd[15398]: prefork: child closed connection Nov 4 10:19:59 abuse spamd[15398]: prefork: child states: I Nov 4 10:19:59 abuse spamd[15885]: prefork: sysread(8) not ready, wait max 300 secs Nov 4 10:19:59 abuse spamd[15398]: spamd: server successfully spawned child process, pid 15885 Nov 4 10:19:59 abuse spamd[15398]: prefork: child 15885: entering state 0 Nov 4 10:19:59 abuse spamd[15398]: prefork: new lowest idle kid: 15413 Nov 4 10:19:59 abuse spamd[15398]: prefork: child 15885: entering state 1 Nov 4 10:19:59 abuse spamd[15398]: prefork: new lowest idle kid: 15413 Nov 4 10:19:59 abuse spamd[15398]: prefork: child reports idle Nov 4 10:19:59 abuse spamd[15398]: prefork: child states: II Nov 4 10:20:05 abuse spamd[16165]: logger: successfully added syslog method Nov 4 10:20:05 abuse spamd[16165]: spamd: creating INET socket: Nov 4 10:20:05 abuse spamd[16165]: spamd: Listen: 128 Nov 4 10:20:05 abuse spamd[16165]: spamd: LocalAddr: 127.0.0.1 Nov 4 10:20:05 abuse spamd[16165]: spamd: LocalPort: 783 Nov 4 10:20:05 abuse spamd[16165]: spamd: Proto: 6 Nov 4 10:20:05 abuse spamd[16165]: spamd: ReuseAddr: 1 Nov 4 10:20:05 abuse spamd[16165]: spamd: Type: 1 Nov 4 10:20:05 abuse spamd[16165]: logger: adding facilities: all Nov 4 10:20:05 abuse spamd[16165]: logger: logging level is DBG Nov 4 10:20:05 abuse spamd[16165]: generic: SpamAssassin version 3.1.0 Nov 4 10:20:05 abuse spamd[16165]: config: score set 0 chosen. Nov 4 10:20:05 abuse spamd[16165]: dns: is Net::DNS::Resolver available? yes Nov 4 10:20:05 abuse spamd[16165]: dns: Net::DNS version: 0.53 Nov 4 10:20:05 abuse spamd[16165]: dns: name server: 207.218.192.38, family: 2, ipv6: 0 Nov 4 10:20:05 abuse spamd[16165]: logger: removing stderr method Nov 4 10:20:05 abuse spamd[16210]: spamd: successfully daemonized Nov 4 10:20:05 abuse spamd[16210]: spamd: Preloading modules with HOME=/tmp/spamd-16210-init Nov 4 10:20:05 abuse spamd[16210]: ignore: test message to precompile patterns and load modules Nov 4 10:20:05 abuse spamd[16210]: config: using /etc/mail/spamassassin for site rules pre files Nov 4 10:20:05 abuse spamd[16210]: config: read file /etc/mail/spamassassin/init.pre Nov 4 10:20:05 abuse spamd[16210]: config: read file /etc/mail/spamassassin/v310.pre Nov 4 10:20:05 abuse spamd[16210]: config: using /usr/share/spamassassin for sys rules pre files Nov 4 10:20:05 abuse spamd[16210]: config: using /usr/share/spamassassin for default rules dir Nov 4 10:20:05 abuse spamd[16210]: config: read file /usr/share/spamassassin/10_misc.cf Nov 4 10:20:06 abuse spamd[16210]: config: read file /usr/share/spamassassin/20_advance_fee.cf Nov 4 10:20:06 abuse spamd[16210]: config: read file /usr/share/spamassassin/20_anti_ratware.cf Nov 4 10:20:06 abuse spamd[16210]: config: read file /usr/share/spamassassin/20_body_tests.cf Nov 4 10:20:06 abuse spamd[16210]: config: read file /usr/share/spamassassin/20_compensate.cf Nov 4 10:20:06 abuse spamd[16210]: config: read file /usr/share/spamassassin/20_dnsbl_tests.cf Nov 4 10:20:06 abuse spamd[16210]: config: read file /usr/share/spamassassin/20_drugs.cf Nov 4 10:20:06 abuse spamd[16210]: config: read file /usr/share/spamassassin/20_fake_helo_tests.cf Nov 4 10:20:06 abuse spamd[16210]: config: read file /usr/share/spamassassin/20_head_tests.cf Nov 4 10:20:06 abuse spamd[16210]: config: read file /usr/share/spamassassin/20_html_tests.cf Nov 4 10:20:06 abuse spamd[16210]: config: read file /usr/share/spamassassin/20_meta_tests.cf Nov 4 10:20:06 abuse spamd[16210]: config: read file /usr/share/spamassassin/20_net_tests.cf Nov 4 10:20:06 abuse spamd[16210]: config: read file /usr/share/spamassassin/20_phrases.cf Nov 4 10:20:06 abuse spamd[16210]: config: read file /usr/share/spamassassin/20_porn.cf Nov 4 10:20:06 abuse spamd[16210]: config: read file /usr/share/spamassassin/20_ratware.cf Nov 4 10:20:06 abuse spamd[16210]: config: read file /usr/share/spamassassin/20_uri_tests.cf Nov 4 10:20:06 abuse spamd[16210]: config: read file /usr/share/spamassassin/23_bayes.cf Nov 4 10:20:06 abuse spamd[16210]: config: read file /usr/share/spamassassin/25_accessdb.cf Nov 4 10:20:06 abuse spamd[16210]: config: read file /usr/share/spamassassin/25_antivirus.cf Nov 4 10:20:06 abuse spamd[16210]: config: read file
RE: lint failure on RDJ for 2nd day.
-Original Message- From: Robert Menschel [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 02, 2005 9:01 PM To: Martin Hepworth Cc: users@spamassassin.apache.org Subject: Re: lint failure on RDJ for 2nd day. Hello Martin, Wednesday, November 2, 2005, 12:57:22 AM, you wrote: MH Anyone any idea what rule has the following in it that would cause the RDJ MH lint to fail.. MH Lint output: [90183] warn: config: invalid regexp for rule KEZAAM: MH /SecuryTeam Order: missing or invalid delimiters [90183] MH Running SA 3.1.0 ??? The SecuryTeam spam is relatively new, hitting systems just in October. The problem is with rule KEZAAM. Check your *.cf files that you have installed, and see if that rule is invalid. If you have manually placed a rule with a --lint problem into your directory, that will stop RDJ from applying any changes to any files until your problem is fixed. MH Of course the hard way to download the updated rules my self and contact the MH author, but just wondering if anyone has already noticed this.. If it should be a file via RDJ, then that's probably your best bet, since I haven't seen anyone else reporting this problem yet. On the same note, anyone using the OLD web page for Bigevil and Fred's tripplet rule has had enough of a warning that they have moved. I've placed numerous messages. And yesterday changed it so you should get a lint failure. I suggest everyone make sure they are not using Bigevil anymore, and especially not the old website. Because next week, I'm changing the ruleset, so that any email with a freakin subject will be marked as spam. There have been enough warnings already. Double check your RDJ scripts to make sure they point to www.rulesemporium.com --Chris
RE: lint failure on RDJ for 2nd day.
Found it - the KAZEEM rule was hiding in one of local rules files I have Apologies for the noise.. -- Martin Hepworth Snr Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 -Original Message- From: Chris Santerre [mailto:[EMAIL PROTECTED] Sent: 04 November 2005 16:55 To: 'Robert Menschel'; Martin Hepworth Cc: users@spamassassin.apache.org Subject: RE: lint failure on RDJ for 2nd day. -Original Message- From: Robert Menschel [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 02, 2005 9:01 PM To: Martin Hepworth Cc: users@spamassassin.apache.org Subject: Re: lint failure on RDJ for 2nd day. Hello Martin, Wednesday, November 2, 2005, 12:57:22 AM, you wrote: MH Anyone any idea what rule has the following in it that would cause the RDJ MH lint to fail.. MH Lint output: [90183] warn: config: invalid regexp for rule KEZAAM: MH /SecuryTeam Order: missing or invalid delimiters [90183] MH Running SA 3.1.0 ??? The SecuryTeam spam is relatively new, hitting systems just in October. The problem is with rule KEZAAM. Check your *.cf files that you have installed, and see if that rule is invalid. If you have manually placed a rule with a --lint problem into your directory, that will stop RDJ from applying any changes to any files until your problem is fixed. MH Of course the hard way to download the updated rules my self and contact the MH author, but just wondering if anyone has already noticed this.. If it should be a file via RDJ, then that's probably your best bet, since I haven't seen anyone else reporting this problem yet. On the same note, anyone using the OLD web page for Bigevil and Fred's tripplet rule has had enough of a warning that they have moved. I've placed numerous messages. And yesterday changed it so you should get a lint failure. I suggest everyone make sure they are not using Bigevil anymore, and especially not the old website. Because next week, I'm changing the ruleset, so that any email with a freakin subject will be marked as spam. There have been enough warnings already. Double check your RDJ scripts to make sure they point to www.rulesemporium.com --Chris ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
RE: Custom rule
Hi, I'm no expert in creating rules - so hopefully someone can help me with this simple one: I want to assign a negative score for all mails, that has the text JGH Ref.: xxx body LOCAL_JGH/\bJGH Ref\.: xxx\b/ describe LOCAL_JGHHas special reference code score LOCAL_JGH -1.0 However, I assume you'll need something other than xxx in there.. Is it numbers? Alphanumeric? Is it always the same length? The x is numbers - right now, there are 6 digits, but I assume the length could be 5-8 digits.. Here's a variant assuming it's always a 7-digit number: body LOCAL_JGH/\bJGH Ref\.: \d{7}\b/ Here's one assuming a 5-8 digit alphanumeric (underscores allowed too, but no other punctuation) body LOCAL_JGH/\bJGH Ref\.: \w{5,8}\b/ Seems like the one i need .. Thank you very much :-) Regards, /Brian
Re: Custom rule
Brian Ipsen wrote: The x is numbers - right now, there are 6 digits, but I assume the length could be 5-8 digits.. Here's a variant assuming it's always a 7-digit number: body LOCAL_JGH/\bJGH Ref\.: \d{7}\b/ Here's one assuming a 5-8 digit alphanumeric (underscores allowed too, but no other punctuation) body LOCAL_JGH/\bJGH Ref\.: \w{5,8}\b/ Seems like the one i need .. Thank you very much :-) That should work fine.. If you want to be more specific you can replace the \w with \d, which will only match numbers, but that's probably not necessary.
Re: trusted_networks and SPF
Mark Martinec wrote: According to SA docs on trusted/internal_networks, the MSA is to be included in the trusted_networks list, and not in internal_networks. Now the question. A mail submitted to MSA from an external authenticated client (which also happens to be DUL-listed) uses a sender address of our domain (as it should be, according to SPF docs). The SPF check (as done by SA) submits this foreign IP address to SPF, which naturally claims it is a forgery. This is clearly wrong, the IP address submitted to SPF should be that of MSA, or SPF check should be skipped altogether. MSA listed in x_networks: trusted internal 0 0 SPF ok, no DUL hit 0 1 SPF ok, no DUL hit 1 0 SPF fails, no DUL hit 1 1 SPF fails, DUL hits http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4661 Until a patch is made available a workaround is to use SMTP/POP-auth to extend the trusted_networks to all authenticated users (and not use a separate list of hosts in internal_networks). Daryl
Re: Outsource my mail?
Michele Neylon:: Blacknight.ie a écrit : Since everybody else is plugging themselves ... shameless plug All our linux hosting plans come with mail filtering, so you can easily put your mail with us and your site elsewhere. Alternatively we have a pure email filtering solution with web-based frontend to manage your quarantine, blacklists and whitelists /shameless plug I suggest putting all these links on the wiki. This way people don't need to search the archives (and if the question is asked again, a pointer would suffice). and if someone has the courage to devise a comparison matrix... (neutral if possible)
Re: Outsource my mail?
mouss wrote: and if someone has the courage to devise a comparison matrix... (neutral if possible) Finding a neutral 3rd party to do a comparison matrix would be difficult, but interesting -- Mr Michele Neylon Blacknight Solutions http://www.blacknight.ie/
Gmail address listed on spamcop
FYI Just had a report from a user regarding http://www.spamcop.net/w3m?action=checkblockip=66.249.82.205 64.233.185.27 is an mx ( 5 ) for xproxy.gmail.com 64.233.185.27 is an mx ( 5 ) for gmail.com That could be effecting quite a lot of people... D
Re: Gmail address listed on spamcop
Dallas L. Engelken wrote: FYI Just had a report from a user regarding http://www.spamcop.net/w3m?action=checkblockip=66.249.82.205 64.233.185.27 is an mx ( 5 ) for xproxy.gmail.com 64.233.185.27 is an mx ( 5 ) for gmail.com That could be effecting quite a lot of people... This was inevitable The amount of junk being sent out from gmail is worrying and their methods of dealing with reports to abuse@ were bound to result in listings in DNSBLs -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239
Re: Gmail address listed on spamcop
Dallas L. Engelken wrote: FYI Just had a report from a user regarding http://www.spamcop.net/w3m?action=checkblockip=66.249.82.205 64.233.185.27 is an mx ( 5 ) for xproxy.gmail.com 64.233.185.27 is an mx ( 5 ) for gmail.com That could be effecting quite a lot of people... D Lower down, see: In the past 81.7 days, it has been listed 24 times for a total of 19.9 days So for the last 3 months, it has been listed 25% of the time... Chris
RE: HUGE bayes DB (non-sitewide) advice?
As a result of this, however, we are currently burdened with an 8GB(! yep, you read it right) bayes database (more than 20K users having mail delivered). Consider using bayes_expiry_max_db_size in conjunction with bayes_auto_expire Using? So you are saying you use non-sitewide bayes but you limit your max DB size to something much smaller than the default? Care to share your settings? No, I use sitewide bayes. We left these at their defaults (not unintentionally). If we have 20K users, the default max of 150,000 tokens at roughly 8MB comes out to 160GB. We have the disk space, but just not sure if we have the tuning it would take to handle a DB of that size. What I am looking for is tuning help or other ideas on how to achieve some reasonable level of bayes personalization without drowning our DB resources. For optimum performance you probably want the bayes database to fit into RAM, along with all of your spamassassin objects and anything else on the server. You might consider buying a dedicated Bayes DB server with 4 GB of RAM, and cutting bayes_expiry_max_db_size in half. That should do it. That should do it today (actually, the database is now 9GB), but not when it has grown to 160GB. I appreciate the tips, but what I am looking for is MySQL tuning advice and thoughts/ideas/other approaches to having at least somewhat personalized Bayes stores for well over 20K users. *SOMEONE* out there has to be doing something like this, no??? If the DB fits into RAM, the SQL engine should be able to make transactional changes in RAM and lazily spool them to the disk without forcing other transactions to wait. __ Yahoo! FareChase: Search multiple travel sites in one click. http://farechase.yahoo.com
Re: Outsource my mail?
Michele Neylon :: Blacknight.ie a écrit : Finding a neutral 3rd party to do a comparison matrix would be difficult, but interesting well, someone may start, and then the page gets reviewed until some level of agreement is reached...
Wristwatches and chronometers
Has anyone developed a rule for the current onslaught of wristwatch spam? Thanks in advance, -steve-
Re: Gmail address listed on spamcop
... Dallas L. Engelken just wrote: FYI Just had a report from a user regarding http://www.spamcop.net/w3m?action=checkblockip=66.249.82.205 64.233.185.27 is an mx ( 5 ) for xproxy.gmail.com 64.233.185.27 is an mx ( 5 ) for gmail.com That could be effecting quite a lot of people... D I just saw a batch of spam sent by permissionplace.com/DirectoryNET on behalf of Conde Nast that was sent from a gmail account. A quick check shows that permissionplace.com is already on URIBL [black] - Maybe they should be grey, but the mail was not CAN-SPAM compliant and no one at my site getting it has any subscriptions to any of their (i.e. Conde Nast) magazine, including me; I got sent spam (caught by SA) to a scraped address, and the last time I subscribed to any of their magazines was over three years ago (i.e. no existing relationship). While gmail has problems, it probably shouldn't get listed, and *maybe* permissionplace.com should be grey, but DirectoryNET.com should probably be listed also. A check of their web site claims that all addresses are opt-in, but also claims that they can find and match email addresses to other data to let their clients reach their own customers (doesn't sound like opt-in). Definitely main-sleaze category. Oh yeah, and they don't seem to answer the telephone:/ Paul Shupak [EMAIL PROTECTED]
Re: HUGE bayes DB (non-sitewide) advice?
On Freitag, 4. November 2005 21:04 email builder wrote: *SOMEONE* out there has to be doing something like this, no??? I would be interested in that, too. mfg zmi -- // Michael Monnerie, Ing.BSc --- it-management Michael Monnerie // http://zmi.at Tel: 0660/4156531 Linux 2.6.11 // PGP Key: lynx -source http://zmi.at/zmi2.asc | gpg --import // Fingerprint: EB93 ED8A 1DCD BB6C F952 F7F4 3911 B933 7054 5879 // Keyserver: www.keyserver.net Key-ID: 0x70545879 pgpDhbbZFPv1D.pgp Description: PGP signature
resolve URI domain to IP and match that?
after a wave of spam mails two days ago, today there was a new wave advertising a different URI that resolves to the same IP. is there a built in possibility in SA (3.0.4) ro resolve a URI's domain to an IP and match that against a known IP, lets say 1.2.3.4 and thus score any hostname/domain that resolves to that IP? cheers, wolfgang
RE: resolve URI domain to IP and match that?
wolfgang wrote: after a wave of spam mails two days ago, today there was a new wave advertising a different URI that resolves to the same IP. is there a built in possibility in SA (3.0.4) ro resolve a URI's domain to an IP and match that against a known IP, lets say 1.2.3.4 and thus score any hostname/domain that resolves to that IP? A URI black list by IP address, with name resolution? It sounds to me like the potential for false positives on such a thing would be very high. -- Matthew.van.Eerde (at) hbinc.com 805.964.4554 x902 Hispanic Business Inc./HireDiversity.com Software Engineer
Re: resolve URI domain to IP and match that?
In an older episode (Saturday, 5. November 2005 01:23), [EMAIL PROTECTED] wrote: wolfgang wrote: after a wave of spam mails two days ago, today there was a new wave advertising a different URI that resolves to the same IP. is there a built in possibility in SA (3.0.4) ro resolve a URI's domain to an IP and match that against a known IP, lets say 1.2.3.4 and thus score any hostname/domain that resolves to that IP? A URI black list by IP address, with name resolution? Nope, my idea is something like a local rule/plugin(?) that resolves an URI's host/domain to an IP and afterwards checks for a known hand-picked IP also included in the local rule. And I am wondering if/how that might be possible. It sounds to me like the potential for false positives on such a thing would be very high. Agreed. cheers, wolfgang