Re: Couple of newbie questions... (repost)
Philip Prindeville wrote: > Matt Kettler wrote: > >> Philip Prindeville wrote: >> >> >> >> Philip will get no further help from me until he modifies his ACLs. >> >> Final-Recipient: rfc822; <[EMAIL PROTECTED]> >> Action: failed >> Status: 5.1.0 MAIL FROM: <[EMAIL PROTECTED]> 550 REPLY: >> 550_5.0.0_This_provider_is_blacklisted >> >> Sorry, I don't help people who block off entire email domains >> containing millions of users and then request help on a global >> mailing list. >> >> > > And I don't accept email from carriers that have a policy of not > investigating external spam complaints. > > When Comcast researches complaints from outside sources that > their users are a spam source (and not just complaints from others > of their own subscribers) then I'll stop blocking them. While I can understand that, and I'm certainly no fan of comcast's incident handling, do realize that you won't get any help from me as long as you're blocking comcast. In general I view blanket blocklisting of a large-scale ISP domain as a method of last resort reserved for ISPs with truly egregious problems. Also realize that nearly all of your comcast spam problems do not have comcast email addresses as a return-path, and do not come through comcast's smarthosts. They come direct from end-user nodes with your typical spammer random return-path. So while blocking email with a comcast.net return-path is a good protest against the ISPs policies, it's going to do very little to aid your spam problems. Make sure you're using a DUL RBL or blocking by RDNS of the delivering IP, that will be considerably more effective against spam. > >
Re: Whitelist misunderstanding regarding performance
On Sat, 04 Feb 2006 11:22:59 -0500, you wrote: >Eric Carlson wrote: >> SA 3.0.2 on FC3. I added a whitelist_from entry for the local domain >> in local.cf and understood it would add -100 to the score. The problem >> is performance of mantis, our bugtracker, which sends email for each >> action. Turns out SA is still scanning each mail where I really wanted >> it to just ignore it totally. Is this possible please? >SA does not support any "bail out of scan" features at present. Even if >SA did have the feature (which is planned for a future release), you'd >still have a lot of overhead because SA would not know this rule hit >until after it had already parsed all the message headers. > >The best way to do this (and the only way right now) is to avoid calling >SA in the first place. Depending on how you call SA this could be fairly >easy (ie: if you use procmail, you can use a procmail rule to only scan >some messages) Hi, and sincere thanks for your help. I think I'm getting it now. The problem is this is a hosted QMail installation and I really wouldn't know how to apply a rule similar to the procmail one - any quick pointers please? > >Also - warning DO NOT use whitelist_from on your localdomain. This rule >is subject to being easily forged, and many spammers intentionally forge >a From: address in your domain to try to take advantage of this. In >general use whitelist_from_rcvd for whitelisting where-ever possible. Ok, sounds right. The thing about the emails I know I don't want to filter is they originate from localhost, i.e. mantis the bugtracker and jive forums etc. Is that a smarter way to detect mail which shouldn't be scanned? -- ec
Problem with bayes
Hi all, I have a problem with a Bayes. I've upgraded perl-5.8.5 to 5.8.7 then portupgrade of p5-Mail-Spamassassin was done. After sa-learn and restart I lost bayes marks in mail messages. I have a following strings in a local.cf: use_bayes 1 bayes_path /usr/local/mail/spamassassin/bayes bayes_auto_learn 0 bayes_file_mode 0770 Also # ls -l /usr/local/mail/spamassassin/ total 5504 -rw-rw-rw- 1 spamd spamd 7644 Feb 6 10:58 bayes.mutex -rw-rw 1 spamd spamd 4296 Feb 6 15:34 bayes_journal -rw-rw-rw- 1 spamd spamd 196608 Feb 6 10:58 bayes_seen -rw-rw-rw- 1 spamd spamd 2473984 Feb 6 10:58 bayes_toks -rw-rw 1 spamd spamd 2179072 Dec 23 10:04 bayes_toks.expire27736 -rw-rw 1 spamd spamd 1196032 Dec 23 10:04 bayes_toks.expire27744 -rw-r--r-- 1 root spamd 108 Feb 6 14:32 razor-agent.log What may be wrong? Thanks, Kryol P.S. Also I attach the result of spamassassin -D --lint in file test.out eph1# spamassassin -D --lint --siteconfigpath=/usr/local/etc/mail/spamassassin [10753] dbg: logger: adding facilities: all [10753] dbg: logger: logging level is DBG [10753] dbg: generic: SpamAssassin version 3.1.0 [10753] dbg: config: score set 0 chosen. [10753] dbg: util: running in taint mode? yes [10753] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH [10753] dbg: util: PATH included '/sbin', keeping [10753] dbg: util: PATH included '/bin', keeping [10753] dbg: util: PATH included '/usr/sbin', keeping [10753] dbg: util: PATH included '/usr/bin', keeping [10753] dbg: util: PATH included '/usr/games', keeping [10753] dbg: util: PATH included '/usr/local/sbin', keeping [10753] dbg: util: PATH included '/usr/local/bin', keeping [10753] dbg: util: PATH included '/usr/X11R6/bin', which doesn't exist, dropping [10753] dbg: util: PATH included '/root/bin', which doesn't exist, dropping [10753] dbg: util: final PATH set to: /sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin [10753] dbg: dns: is Net::DNS::Resolver available? yes [10753] dbg: dns: Net::DNS version: 0.55 [10753] dbg: dns: name server: xxx.xxx.xxx.xxx, family: 2, ipv6: 0 [10753] dbg: diag: perl platform: 5.008007 freebsd [10753] dbg: diag: module installed: Digest::SHA1, version 2.11 [10753] dbg: diag: module installed: MIME::Base64, version 3.07 [10753] dbg: diag: module installed: HTML::Parser, version 3.48 [10753] dbg: diag: module installed: DB_File, version 1.811 [10753] dbg: diag: module installed: Net::DNS, version 0.55 [10753] dbg: diag: module installed: Net::SMTP, version 2.29 [10753] dbg: diag: module installed: Mail::SPF::Query, version 1.997 [10753] dbg: diag: module installed: IP::Country::Fast, version 309.002 [10753] dbg: diag: module installed: Razor2::Client::Agent, version 2.77 [10753] dbg: diag: module installed: Net::Ident, version 1.20 [10753] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed) [10753] dbg: diag: module installed: IO::Socket::SSL, version 0.97 [10753] dbg: diag: module installed: Time::HiRes, version 1.66 [10753] dbg: diag: module not installed: DBI ('require' failed) [10753] dbg: diag: module installed: Getopt::Long, version 2.34 [10753] dbg: diag: module installed: LWP::UserAgent, version 2.033 [10753] dbg: diag: module installed: HTTP::Date, version 1.46 [10753] dbg: diag: module not installed: Archive::Tar ('require' failed) [10753] dbg: diag: module not installed: IO::Zlib ('require' failed) [10753] dbg: ignore: using a test message to lint rules [10753] dbg: config: using "/usr/local/etc/mail/spamassassin" for site rules pre files [10753] dbg: config: read file /usr/local/etc/mail/spamassassin/init.pre [10753] dbg: config: read file /usr/local/etc/mail/spamassassin/v310.pre [10753] dbg: config: using "/usr/local/share/spamassassin" for sys rules pre files [10753] dbg: config: using "/usr/local/share/spamassassin" for default rules dir [10753] dbg: config: read file /usr/local/share/spamassassin/10_misc.cf [10753] dbg: config: read file /usr/local/share/spamassassin/20_advance_fee.cf [10753] dbg: config: read file /usr/local/share/spamassassin/20_anti_ratware.cf [10753] dbg: config: read file /usr/local/share/spamassassin/20_body_tests.cf [10753] dbg: config: read file /usr/local/share/spamassassin/20_compensate.cf [10753] dbg: config: read file /usr/local/share/spamassassin/20_dnsbl_tests.cf [10753] dbg: config: read file /usr/local/share/spamassassin/20_drugs.cf [10753] dbg: config: read file /usr/local/share/spamassassin/20_fake_helo_tests.cf [10753] dbg: config: read file /usr/local/share/spamassassin/20_head_tests.cf [10753] dbg: config: read file /usr/local/share/spamassassin/20_html_tests.cf [10753] dbg: config: read file /usr/local/share/spamassassin/20_meta_tests.cf [10753] dbg: config: read file /usr/local/share/spamassassin/20_net_tests.cf [10753] dbg: config: read file /usr/local/share/spamassassin/20_phrases.cf [10
FW: META: [EMAIL PROTECTED]: Norman De Forest - sad news]
Title: FW: META: [EMAIL PROTECTED]: Norman De Forest - sad news] This is extremly sad news. Those that dealt with Norman, know what a great help he was. He will be greatly missed. Posted to SPAM-L - Forwarded message from Ant <[EMAIL PROTECTED]> - > From: Ant <[EMAIL PROTECTED]> > Newsgroups: alt.comp.virus,news.admin.net-abuse.email > Subject: Norman De Forest - sad news > Date: Fri, 3 Feb 2006 20:55:27 - > > "It is with great sadness that we announce the passing away of > Norman De Forest ... In poor health and living in extreme poverty, > Norman's mind was rarely fettered by his circumstances and he quite > literally has helped thousands of people, both through Chebucto and > the internet and in real life. Like most truly generous people, he > kept his charity to himself and it is likely nobody alive knows the > true extent of his caring..." > > http://beacon.chebucto.info/news.shtml > > - End forwarded message -
Generate stats
how do I generate stats on Spam Assassin? percentages and things. Thanks for the help Ben
Re: Pump and Dump SARE rules
On Sunday 05 February 2006 17:41, Doc Schneider wrote: > Chris Santerre wrote: > > > -Original Message- > > > From: Doc Schneider [mailto:[EMAIL PROTECTED] > > > Sent: Friday, January 27, 2006 5:14 PM > > > To: users@spamassassin.apache.org > > > Subject: Pump and Dump SARE rules > > > > > > > > > http://rulesemporium.com/rules/70_sare_stocks.cf > > > > > > Is the latest addition to the SARE rule sets. > > > > > > -Doc (SARE Ninja) > > > > This has to be the MOST test ruleset of any SARE release. :) If you > > guys only knew how long Doc and the other SARE ninjas have been working > > on this set. I think a giant *sigh* of relief can be heard throughout > > the lands. > > > > Please give feedback. And this set will be continualy updated. > > > > --Chris > > I just updated this ruleset with some new rules and also added in the > counts for the scoring. > > Also updated http://www.rulesemporium.com/rules.htm adding this new set > to it. > > And please if anyone is using this set let us know we like feedback! > > -Doc (SARE Ninja) I've been using it, and it seems well worth while. From today's logfile ( the first colum is it's ranking in the rules hit in spam and the last is the hit count): 35 SARE_MLH_Stock1 159.000 38 SARE_MLB_Stock1 130.000 66 SARE_LWSHORTT 90.000 72 SARE_MLB_Stock2 76.000 86 SARE_RMML_Stock24 51.000 96 SARE_LW1933 43.000 98 SARE_LWSYMFMT 43.000 111 SARE_MLB_Stock5 36.000 Thanks for your efforts! -- Larry G. Starr - [EMAIL PROTECTED] or [EMAIL PROTECTED] Software Engineer: Full Compass Systems LTD. Phone: 608-831-7330 x 1347 FAX: 608-831-6330 === There are only three sports: bullfighting, mountaineering and motor racing, all the rest are merely games! - Ernest Hemmingway
Re: Generate stats
On Mon, February 6, 2006 9:49 am, Benjamin Adams wrote: > how do I generate stats on Spam Assassin? > percentages and things. http://www.cynistar.net/~apthorpe/code/sa-contrib/sa-stats.html Is a good start, others might have some other reccomendations. Evan
RE: Little custom rule
Hi again, I added them and had to change the 1st "{" in the 1st rule for a "(" in order spamd not to complain about it. Anyway, it doesn't work :( Thanks anyway Ruben > -Mensaje original- > De: Loren Wilton [mailto:[EMAIL PROTECTED] > Enviado el: lunes, 06 de febrero de 2006 1:23 > Para: users@spamassassin.apache.org > Asunto: Re: Little custom rule > > > header __LW_BLAH1ALL =~ > /\nTo:[^<\n]+<[EMAIL PROTECTED])[^\n]+.*\nSubject:\s*Fw: > > \1\b/i > > header __LW_BLAH2ALL =~ /\nSubject:\s*Fw: > > (\w+)[^\n]*.*\nTo:[^<\n]+<\1\@/i > > metaLW_BLAH__LW_BLAH1 || __LW_BLAH2 > > scoreLW_BLAH1 > > I see those lines wrapped. The first 4 lines above are really two lines. > There is one space after the "Fw:" at the end of those wrapped lines, then > the stuff on the second line. > > Loren
query score for Re: r news 5860 spam
Hi, I had been attacked by a spam ( http://60.49.100.123/news5860.txt ) in all my mail servers. Surprising it has a 0:0 hit. X-Spam-Status: No, score=0.0 required=5.0 tests=HTML_MESSAGE,UPPERCASE_25_50 autolearn=disabled version=3.1.0 What are your scores? Which ruleset do u use to trap this spam? best regards
Re: Generate stats
I'm running this on Mac OS X, sa-stats is not located on the machine. I tried installing through perl -MCPAN but it doesn't know what it is I tried downloading it from spam assassin and running but missing perl additions. Any other way program? Ben On Feb 6, 2006, at 1:18 PM, Evan Platt wrote: On Mon, February 6, 2006 9:49 am, Benjamin Adams wrote: how do I generate stats on Spam Assassin? percentages and things. http://www.cynistar.net/~apthorpe/code/sa-contrib/sa-stats.html Is a good start, others might have some other reccomendations. Evan
RE: query score for Re: r news 5860 spam
header MY_NEWS Subject =~ /^Re:\s[0-9]*[a-z]*\snews\s[0-9]*[0-9]*[0-9]*[0-9]*/i score MY_NEWS 6 Ruben > -Mensaje original- > De: Spamassassin List [mailto:[EMAIL PROTECTED] > Enviado el: lunes, 06 de febrero de 2006 19:56 > Para: users@spamassassin.apache.org > Asunto: query score for Re: r news 5860 spam > > Hi, > > I had been attacked by a spam ( http://60.49.100.123/news5860.txt ) in all > my mail servers. > Surprising it has a 0:0 hit. > > X-Spam-Status: No, score=0.0 required=5.0 > tests=HTML_MESSAGE,UPPERCASE_25_50 > autolearn=disabled version=3.1.0 > > What are your scores? Which ruleset do u use to trap this spam? > > best regards
RE: query score for Re: r news 5860 spam
I just got one like that a few minutes ago... this is what the log says: Feb 6 14:05:37 mail spamd[26278]: result: Y 7 - BAYES_95,HTML_90_100,HTML_MESSAGE,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_XBL > -Original Message- > From: Spamassassin List [mailto:[EMAIL PROTECTED] > Sent: Monday, February 06, 2006 1:56 PM > To: users@spamassassin.apache.org > Subject: query score for Re: r news 5860 spam > > > Hi, > > I had been attacked by a spam ( > http://60.49.100.123/news5860.txt ) in all > my mail servers. > Surprising it has a 0:0 hit. > > X-Spam-Status: No, score=0.0 required=5.0 > tests=HTML_MESSAGE,UPPERCASE_25_50 > autolearn=disabled version=3.1.0 > > What are your scores? Which ruleset do u use to trap this spam? > > best regards >
Re: Generate stats
Benjamin Adams <[EMAIL PROTECTED]> wrote on 02/06/2006 12:58:20 PM: > I'm running this on Mac OS X, > sa-stats is not located on the machine. > I tried installing through perl -MCPAN but it doesn't know what it is > I tried downloading it from spam assassin and running but missing > perl additions. > Any other way program? > > Ben > From an earlier post by Dallas Engelken: > SA 3.0.x - http://www.rulesemporium.com/programs/sa-stats.txt > SA 3.1.x - http://www.rulesemporium.com/programs/sa-stats-1.0.txt Andy
Re: Generate stats
ok I have the file next thing, spamd has no log:I added the fallowing to syslog.conf!!spamddaemon.info /var/log/spamddaemon.debug /dev/null!*with this will /var/log/spamd file?or a directory where I need to pre-create the files for it to start logging?Thanks For the HelpBenOn Feb 6, 2006, at 2:29 PM, Andy Jezierski wrote:Benjamin Adams <[EMAIL PROTECTED]> wrote on 02/06/2006 12:58:20 PM: > I'm running this on Mac OS X, > sa-stats is not located on the machine. > I tried installing through perl -MCPAN but it doesn't know what it is > I tried downloading it from spam assassin and running but missing > perl additions. > Any other way program? > > Ben > From an earlier post by Dallas Engelken: > SA 3.0.x - http://www.rulesemporium.com/programs/sa-stats.txt > SA 3.1.x - http://www.rulesemporium.com/programs/sa-stats-1.0.txt Andy
RE: Little custom rule
> I added them and had to change the 1st "{" in the 1st rule for a "(" in Hum, yes. That should have been a left parend. >order spamd not to complain about it. Anyway, it doesn't work :( Could try /is instead of just /i on the end of the regexes, that might help. The trouble is this sort of rule normally takes a good half hour of fiddling with an example spam before it will hit reliably. I normally write the rule, and when it doesn't work, I have to start taking it apart into pieces until I start getting things to hit, then put it back together until it works. Loren
RE: Little custom rule
Hi, It seems it doesn't want to work, it just didn't match this: From: "rkfexklqc" <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: Fw: oscarbru Ruben > -Mensaje original- > De: Loren Wilton [mailto:[EMAIL PROTECTED] > Enviado el: lunes, 06 de febrero de 2006 21:14 > Para: Ruben Cardenal; users@spamassassin.apache.org > Asunto: RE: Little custom rule > > > I added them and had to change the 1st "{" in the 1st rule for a "(" in > > Hum, yes. That should have been a left parend. > > >order spamd not to complain about it. Anyway, it doesn't work :( > > Could try /is instead of just /i on the end of the regexes, that might > help. > > The trouble is this sort of rule normally takes a good half hour of > fiddling with an example spam before it will hit reliably. I normally > write the rule, and when it doesn't work, I have to start taking it apart > into pieces until I start getting things to hit, then put it back together > until it works. > > Loren
RE: Little custom rule
>It seems it doesn't want to work, it just didn't match this: > >From: "rkfexklqc" <[EMAIL PROTECTED]> >To: [EMAIL PROTECTED] >Subject: Fw: oscarbru Ah, ok. As I said, it would match names in <> characters, and not one of the dozen or so other valid formats. You have one of those other formats. Try this instead (also untested): header __LW_BLAH1ALL =~ /\nTo: ([EMAIL PROTECTED]).+\nSubject:\s*Fw: \1\b/i Loren
RE: Little custom rule
That one works! Thanks :) Ruben > -Mensaje original- > De: Loren Wilton [mailto:[EMAIL PROTECTED] > Enviado el: lunes, 06 de febrero de 2006 21:52 > Para: Ruben Cardenal; users@spamassassin.apache.org > Asunto: RE: Little custom rule > > >It seems it doesn't want to work, it just didn't match this: > > > >From: "rkfexklqc" <[EMAIL PROTECTED]> > >To: [EMAIL PROTECTED] > >Subject: Fw: oscarbru > > Ah, ok. As I said, it would match names in <> characters, and not one of > the dozen or so other valid formats. You have one of those other formats. > Try this instead (also untested): > > header __LW_BLAH1ALL =~ /\nTo: ([EMAIL PROTECTED]).+\nSubject:\s*Fw: > \1\b/i > > Loren
Re: Spamassassin Spam Header
header L_S_SW_LOWPRSubject =~/\bS[o0]ftw[a4]r[e3] At L[o0]w Pr[i1]c[e3]s?\b/i You have a spurious line wrap above. Join it to the end of the line above so that it will have the "w" followed by the "Pr[". That will help. ALWAYS run "SpamAssassin --lint" when you make a change like that and before you tell spamd to reaload. score L_S_SW_LOWPR 3.0 describe L_S_SW_LOWPR offers software at low price {^_^} I think i have a good idea. Each Day i move t he spam files into the folder .spam. In the night i make a cronjob called this: 0 1 * * * vmail sa-learn --spam /var/opt/vmail/marcus/Maildir/.spam/cur *.* But i don know that the command is correct. But he execute it as vmail user and not root. or? marcus _ Sie suchen E-Mails, Dokumente oder Fotos? Die neue MSN Suche Toolbar mit Windows-Desktopsuche liefert in sekundenschnelle Ergebnisse. Jetzt neu! http://desktop.msn.de/ Jetzt gratis downloaden!
Isn't numeric in addition ??
Getting a lot of these: Argument "\0楰." isn't numeric in addition (+) at /usr/lib/perl5/site_perl/5.8.6/Mail/SpamAssassin/Bayes.pm line 1337, line 663. What is this? Thanks in advance.
Re: Isn't numeric in addition ??
Marc Perkel wrote: > Getting a lot of these: > > Argument "\0楰." isn't numeric in addition (+) at > /usr/lib/perl5/site_perl/5.8.6/Mail/SpamAssassin/Bayes.pm line 1337, > line 663. > > What is this? Usually the "isn't numeric in addition" errors are a severely borked configuration option that you put something non-numeric in where a number belongs. In this case it looks like a lot of really wild binary data is involved. Can you run the following command and post the output? head -n 1340 /usr/lib/perl5/site_perl/5.8.6/Mail/SpamAssassin/Bayes.pm |tail -n 5 (note: watch out for word-wrap.. that's a one-line shell command.) That will basically give us a "snippet" view of the affected code, which can give us an idea what variables are being added so we know where to look for the problem.
Re: Couple of newbie questions... (repost)
Matt Kettler wrote: Philip Prindeville wrote: Matt Kettler wrote: Philip Prindeville wrote: Philip will get no further help from me until he modifies his ACLs. Final-Recipient: rfc822; <[EMAIL PROTECTED]> Action: failed Status: 5.1.0 MAIL FROM: <[EMAIL PROTECTED]> 550 REPLY: 550_5.0.0_This_provider_is_blacklisted Sorry, I don't help people who block off entire email domains containing millions of users and then request help on a global mailing list. And I don't accept email from carriers that have a policy of not investigating external spam complaints. When Comcast researches complaints from outside sources that their users are a spam source (and not just complaints from others of their own subscribers) then I'll stop blocking them. While I can understand that, and I'm certainly no fan of comcast's incident handling, do realize that you won't get any help from me as long as you're blocking comcast. In general I view blanket blocklisting of a large-scale ISP domain as a method of last resort reserved for ISPs with truly egregious problems. I guess my last few experiences with Comcast lead me to categorize them as egregious. Also realize that nearly all of your comcast spam problems do not have comcast email addresses as a return-path, and do not come through comcast's smarthosts. They come direct from end-user nodes with your typical spammer random return-path. Right. I believe that most ISP should have outgoing port 25 blocked unless special provisions have been made, but that's my (fascist) point of view. So while blocking email with a comcast.net return-path is a good protest against the ISPs policies, it's going to do very little to aid your spam problems. Make sure you're using a DUL RBL or blocking by RDNS of the delivering IP, that will be considerably more effective against spam. I'm not protesting anything. I'm refusing to accept email from Comcast until they become better network citizens in the corporate sense. A lot of ISP's don't provide RDNS for their IP pools... and with the advent of PPPoA and PPPoE, DSL and Cable subscribers can have addresses change in a matter of hours (as opposed to staying current for weeks at a time which happens with DHCP, since you can continue to renew your current allocation)... just as it does for dialup users when they hang up and redial. So my experience is that blocking based on rDNS is a waste of time, and a lot of people on the mimedefang mailing list agree with that. -Philip
Re: Couple of newbie questions... (repost)
Philip Prindeville wrote: > > I'm not protesting anything. So blocking Comcast is not a public gesture of disapproval? http://dictionary.reference.com/search?q=protest noun definition 2: "An individual or collective gesture or display of disapproval." > > I'm refusing to accept email from Comcast until they become > better network citizens in the corporate sense. Not all protests involve people with signs standing in the street. > > A lot of ISP's don't provide RDNS for their IP pools... and with the advent > of PPPoA and PPPoE, DSL and Cable subscribers can have addresses > change in a matter of hours (as opposed to staying current for weeks at a > time which happens with DHCP, since you can continue to renew your > current allocation)... just as it does for dialup users when they hang up > and redial. > > So my experience is that blocking based on rDNS is a waste of time, > and a lot of people on the mimedefang mailing list agree with that. I hate to say it, but blocking based on return-path is an even greater waste of time. Return-paths are readily forged. While I'll agree that RDNS blocking isn't the greatest tool in the world, it's certainly thousand times more useful in spam blocking than return-path.
Re: Couple of newbie questions... (repost)
Philip, Methinks that's a very silly policy. You're aren't hurting Comcast an iota; but you sure are penalizing yourself, your users, and their email contacts. A properly configured SA box will block spam from Comcast subscribers as well as from anyone else so I don't see what you are trying to accomplish. IMHO, blocking entire ISP domains makes you part of the problem and not part of the solution... Then again.. you might be the only user on your system; in which case ... who cares! RO - Original Message - From: "Philip Prindeville" <[EMAIL PROTECTED]> To: "Matt Kettler" <[EMAIL PROTECTED]> Cc: Sent: Monday, February 06, 2006 3:30 PM Subject: Re: Couple of newbie questions... (repost) Matt Kettler wrote: Philip Prindeville wrote: Matt Kettler wrote: Philip Prindeville wrote: Philip will get no further help from me until he modifies his ACLs. Final-Recipient: rfc822; <[EMAIL PROTECTED]> Action: failed Status: 5.1.0 MAIL FROM: <[EMAIL PROTECTED]> 550 REPLY: 550_5.0.0_This_provider_is_blacklisted Sorry, I don't help people who block off entire email domains containing millions of users and then request help on a global mailing list. And I don't accept email from carriers that have a policy of not investigating external spam complaints. When Comcast researches complaints from outside sources that their users are a spam source (and not just complaints from others of their own subscribers) then I'll stop blocking them. While I can understand that, and I'm certainly no fan of comcast's incident handling, do realize that you won't get any help from me as long as you're blocking comcast. In general I view blanket blocklisting of a large-scale ISP domain as a method of last resort reserved for ISPs with truly egregious problems. I guess my last few experiences with Comcast lead me to categorize them as egregious. Also realize that nearly all of your comcast spam problems do not have comcast email addresses as a return-path, and do not come through comcast's smarthosts. They come direct from end-user nodes with your typical spammer random return-path. Right. I believe that most ISP should have outgoing port 25 blocked unless special provisions have been made, but that's my (fascist) point of view. So while blocking email with a comcast.net return-path is a good protest against the ISPs policies, it's going to do very little to aid your spam problems. Make sure you're using a DUL RBL or blocking by RDNS of the delivering IP, that will be considerably more effective against spam. I'm not protesting anything. I'm refusing to accept email from Comcast until they become better network citizens in the corporate sense. A lot of ISP's don't provide RDNS for their IP pools... and with the advent of PPPoA and PPPoE, DSL and Cable subscribers can have addresses change in a matter of hours (as opposed to staying current for weeks at a time which happens with DHCP, since you can continue to renew your current allocation)... just as it does for dialup users when they hang up and redial. So my experience is that blocking based on rDNS is a waste of time, and a lot of people on the mimedefang mailing list agree with that. -Philip
Re: Couple of newbie questions... (repost)
Matt Kettler wrote: >> So my experience is that blocking based on rDNS is a waste of time, >> and a lot of people on the mimedefang mailing list agree with that. > > I hate to say it, but blocking based on return-path is an even greater waste > of > time. Return-paths are readily forged. > > While I'll agree that RDNS blocking isn't the greatest tool in the world, it's > certainly thousand times more useful in spam blocking than return-path. And in case that doesn't make sense to you, consider this. I have a half dozen spams in my inbox today which were sent by comcast.net PCs (I get very few because I greylist all comcast end-user nodes).. Zero of these spam mails have a comcast.net email address as the return. I'd suggest checking your own mail. Consider this porn spam: Return-Path: <[EMAIL PROTECTED]> Received: from bgp01061386bgs.taylor01.mi.comcast.net (bgp01061386bgs.taylor01.mi.comcast.net [68.40.7.208]) by xanadu.evi-inc.com (8.12.8/8.12.8) with SMTP id jBRAKsEn012564 for <[EMAIL PROTECTED]>; Tue, 27 Dec 2005 05:21:12 -0500 If you're blocking by email address in the return-path only you're not protecting yourself at all from the bulk of the spam sent by infected comcast end-users. Keep your return-path block in place if you like, it will wind up blocking spam forging comcast addresses sent from other networks. However, I suspect you'll find that hostname is considerably more effective here. It will certainly be more effective at eliminating spam emanated by infected PCs in comcast's network. Also, comcast's cablemodem users are the biggest problem, as they're readily infected by viruses. Comcast is usually fairly good about having RDNS for all these.
Re: Couple of newbie questions... (repost)
Matt Kettler wrote: Philip Prindeville wrote: I'm not protesting anything. So blocking Comcast is not a public gesture of disapproval? http://dictionary.reference.com/search?q=protest noun definition 2: "An individual or collective gesture or display of disapproval." No, it's an effective counter-measure to spam. I'm refusing to accept email from Comcast until they become better network citizens in the corporate sense. Not all protests involve people with signs standing in the street. Why should I attempt to triage messages from them into spam and non-spam categories, if they aren't going to make any use of that effort by investigating the spam complaints? I will work with them when they're ready to work with me. A lot of ISP's don't provide RDNS for their IP pools... and with the advent of PPPoA and PPPoE, DSL and Cable subscribers can have addresses change in a matter of hours (as opposed to staying current for weeks at a time which happens with DHCP, since you can continue to renew your current allocation)... just as it does for dialup users when they hang up and redial. So my experience is that blocking based on rDNS is a waste of time, and a lot of people on the mimedefang mailing list agree with that. I hate to say it, but blocking based on return-path is an even greater waste of time. Return-paths are readily forged. Which is why I block on incoming IP addresses. It's an artifact of Sendmail to not generate an error response until the MAIL FROM: has been seen... While I'll agree that RDNS blocking isn't the greatest tool in the world, it's certainly thousand times more useful in spam blocking than return-path. Perhaps, but I'm not doing anything with Return-paths. Telnet to my server and check for yourself. -Philip
Re: Couple of newbie questions... (repost)
Richard Ozer wrote: Philip, Methinks that's a very silly policy. You're aren't hurting Comcast an iota; but you sure are penalizing yourself, your users, and their email contacts. A properly configured SA box will block spam from Comcast subscribers as well as from anyone else so I don't see what you are trying to accomplish. I am my users, for the most part. I run a small start-up company and run the mail server here. I have no regular correspondents that are Comcast subscribers, outside of the occasional respondent from a mailing list such as Matt. As for properly configured SA... Well, maybe I'm lacking technical competence and going for the low-hanging fruit, then. Spam does occasionally get in, and I will report it to the provider if I believe for an instant that they will investigate it in good faith. Yes, I block Comcast. I also block ALL of these Japanese, Thai, Chinese (Chicom only), Korean, Singaporean, New Zealander, Romanian, Italian, Polish, ... (get the idea) network addresses that I was able to deduce through CIDR block inferences. I.e. any provider or country that doesn't have an institutional policy of prosecuting spam senders... BTW: A finer point is that I block Comcast USER IP addresses. If Comcast has mail servers that have a separate address block (and most ISP's do) and users send their outgoing email through their provider's relay, then I will happily accept those messages. I will not accept email coming from the subscriber IP address blocks, however. IMHO, blocking entire ISP domains makes you part of the problem and not part of the solution... I'm not generating spam, so I fail to see the equivalence. Nor am I providing a relay or other "safe haven" for spammers. It's a nice platitude, but doesn't bear up to scrutiny. It smacks of a sort of "us" and "them" mentality. In addition to "us" and "them", there's also "everyone else". Then again.. you might be the only user on your system; in which case ... who cares! Exactly. You've come around to my point of view. -Philip RO
[OT] SpamAssassin Developer for Hire
I am currently seeking employment for 8 or 9 weeks in May and June 2006.[1] I would greatly enjoy working for a company involved in the anti-spam / e-mail security industry, especially if it would allow me to use or contribute to the Apache SpamAssassin project. As you may know, I've been a SpamAssassin developer since 2002, although I have contributed little recently -- being at school full-time seems to get in the way of that. Last summer, I worked for IronPort Systems as an Anti-Spam Developer and I greatly enjoyed the experience. I am located in Toronto, Ontario (Canada) and/or Kingston, Ontario, and I am not eager to relocate for such a short term. I would be interested in working in either of these two cities or the surrounding areas, or remotely.[2] If your company would be interested in hiring a highly motivated and skilled young computer programmer with extensive experience in the anti-spam industry, I would love to hear from you. I realize that this is a rather short period of time, but I am confident I could tackle a sizeable project in this time frame. My resume is available online at the following address: http://people.apache.org/~duncf/DuncanFindlay.pdf Please feel free to forward this message to anyone that may interested. References are available on request. Thank you, Duncan Findlay [1] More precisely, I'd like to work May, June and the first little bit of July. I am going to be travelling in Europe for the last half of the summer, from mid-July to the end of August. [2] Some travel, on the other hand, would be perfectly fine. I just do not want to deal with the hassles of finding somewhere to live, furnishings, etc. for a short period. If this were a permanent job, I would be happy to relocate. signature.asc Description: Digital signature
Re: Couple of newbie questions... (repost)
Philip Prindeville wrote: > > I.e. any provider or country that doesn't have an institutional policy > of prosecuting spam senders... Erm, so you're going to block all of the US, correct? > BTW: A finer point is that I block Comcast USER IP addresses. If > Comcast has mail servers that have a separate address block (and most > ISP's do) and users send their outgoing email through their provider's > relay, then I will happily accept those messages. I will not accept > email > coming from the subscriber IP address blocks, however. No Phillip, You currently block comcast SERVER addresses. I use comcast's relays. I do NOT direct deliver. My message sent directly to you bounced. Earlier I suggested you should do this, and you essentially blew me off. Now you're trying to claim this is the configuration you use, when evidence suggests otherwise. > >> IMHO, blocking entire ISP domains makes you part of the problem and >> not part of the solution... >> Then again.. you might be the only user on your system; in which case >> ... who cares! > > > Exactly. You've come around to my point of view. I agree. I only care to the extent that I refuse to offer free tech help to those that block my ISP. *shrug*
Re: Couple of newbie questions... (repost)
Philip Prindeville wrote: As for properly configured SA... Well, maybe I'm lacking technical competence and going for the low-hanging fruit, then. Refusing help from Matt Kettler sure rules out getting a lot of that low-hanging fruit. Daryl
Re[2]: spam still isn't being caught much.
Hello Brian, Sunday, February 5, 2006, 4:52:00 AM, you wrote: BSM> If I use spamassassin -D --lint then it reveals that I'm at 3.0.2 BSM> I have posted the x-spam-status from 15 messages at BSM> http://www.meehanontheweb.com/xspamstatus.txt BSM> (the "software_spam_rule", which looks for 'software' in the subject, is BSM> one I wrote in local.cf) BSM> Autolearn sometimes says "failed" but most often says "no". BSM> Sans rules, here is what I have in local.cf: Sans rules? What rules do you have in local.cf? When you do a spamassassin --lint (no -D for this test), do you get any error messages? An error in custom rules could contribute to the problems you're having. Bob Menschel
Re: Couple of newbie questions... (repost)
Matt Kettler wrote: Philip Prindeville wrote: I.e. any provider or country that doesn't have an institutional policy of prosecuting spam senders... Erm, so you're going to block all of the US, correct? No. We have laws against spam that hopefully most legitimate ISP's attempt to conform to. BTW: A finer point is that I block Comcast USER IP addresses. If Comcast has mail servers that have a separate address block (and most ISP's do) and users send their outgoing email through their provider's relay, then I will happily accept those messages. I will not accept email coming from the subscriber IP address blocks, however. No Phillip, You currently block comcast SERVER addresses. I use comcast's relays. I do NOT direct deliver. My message sent directly to you bounced. Then I've not deduced what addresses are used for users and which block is allocated to servers... Earlier I suggested you should do this, and you essentially blew me off. Now you're trying to claim this is the configuration you use, when evidence suggests otherwise. You said that I was blocking based on Return-path:'s, and your argument was predicated on that. I don't block on Return-path's, as I've hopefully made clear. It's possible that the addresses that I block include both server and user addresses and that I've not partitioned correctly. Do you have a complete list of IP CIDR blocks used by Comcast, or know where they can be found? I'm not sure I trust their SPF records... (actually, I doubt that they allow zone transfers anyway) -Philip IMHO, blocking entire ISP domains makes you part of the problem and not part of the solution... Then again.. you might be the only user on your system; in which case ... who cares! Exactly. You've come around to my point of view. I agree. I only care to the extent that I refuse to offer free tech help to those that block my ISP. *shrug*
RE: Couple of newbie questions... (repost)
Philip, >From what I have read, people have given you complete and logic advice on how to do this properly. Yeah, the US has laws regarding SPAM. They also have laws on drinking and driving. Law's are reactive. But, if you wish to forego the advice of list members then you should probably really think about the next question. Is the mini-flame war you're tying to conduct productive to the preventing of spam, i.e. this group? I'd check the archives... Matt's been around for a while. He's advice is usually on the money. Gary Wayne Smith > -Original Message- > From: Philip Prindeville [mailto:[EMAIL PROTECTED] > Sent: Monday, February 06, 2006 8:16 PM > To: Matt Kettler > Cc: users@spamassassin.apache.org > Subject: Re: Couple of newbie questions... (repost) > > Matt Kettler wrote: > > >Philip Prindeville wrote: > > > > > >>I.e. any provider or country that doesn't have an institutional policy > >>of prosecuting spam senders... > >> > >> > >Erm, so you're going to block all of the US, correct? > > > > > > No. We have laws against spam that hopefully most legitimate ISP's > attempt > to conform to. >
Re: Couple of newbie questions... (repost)
I'm not waging any mini-flames. I was asked (and I assumed it was with sincerity) what I did and why, and I answered with sincerity. I'm not saying what I do is the best solution, or advocate anyone else doing the same thing. And yes, we have laws against drinking and driving: If I said that I was a tee-totaler that never left the house and didn't drive, would anyone try to convince me that I should live otherwise? -Philip Gary W. Smith wrote: Philip, From what I have read, people have given you complete and logic advice on how to do this properly. Yeah, the US has laws regarding SPAM. They also have laws on drinking and driving. Law's are reactive. But, if you wish to forego the advice of list members then you should probably really think about the next question. Is the mini-flame war you're tying to conduct productive to the preventing of spam, i.e. this group? I'd check the archives... Matt's been around for a while. He's advice is usually on the money. Gary Wayne Smith -Original Message- From: Philip Prindeville [mailto:[EMAIL PROTECTED] Sent: Monday, February 06, 2006 8:16 PM To: Matt Kettler Cc: users@spamassassin.apache.org Subject: Re: Couple of newbie questions... (repost) Matt Kettler wrote: Philip Prindeville wrote: I.e. any provider or country that doesn't have an institutional policy of prosecuting spam senders... Erm, so you're going to block all of the US, correct? No. We have laws against spam that hopefully most legitimate ISP's attempt to conform to.
Re: Couple of newbie questions... (repost)
Philip Prindeville wrote: > Matt Kettler wrote: > >> Philip Prindeville wrote: >> >> >>> I.e. any provider or country that doesn't have an institutional policy >>> of prosecuting spam senders... >>> >> Erm, so you're going to block all of the US, correct? >> >> > > No. We have laws against spam that hopefully most legitimate ISP's > attempt > to conform to. Erm, no we don't. U-CAN-SPAM doesn't exactly count as a law against spam. After all, there's nothing in it that prohibits spamming. As long as you follow a few rules about the format you can carpet bomb people with spam all you like. > >> No Phillip, You currently block comcast SERVER addresses. I use >> comcast's relays. I do NOT direct deliver. My message sent directly to >> you bounced. >> >> > > Then I've not deduced what addresses are used for users and which > block is allocated to servers... Fair enough. This conversation started when I pointed out you were blocking comcast's *entire* network. I did so because you failed to accept mail properly relayed through their servers. > > >> Earlier I suggested you should do this, and you essentially blew me off. >> Now you're trying to claim this is the configuration you use, when >> evidence suggests otherwise. >> >> > > You said that I was blocking based on Return-path:'s, and your > argument was predicated on that. > > I don't block on Return-path's, as I've hopefully made clear. Yes, you made that clear in your last message in this thread.. I'm still unsure why you waited so long to point out your policy. Your earlier messages simply stated you block comcast. You made no qualifications about not blocking servers when you stated: "And I don't accept email from carriers that have a policy of not investigating external spam complaints. " That's a statement has a pretty strong implication that you aren't intending a partial block, but a complete absolute block of the whole ISP. > > It's possible that the addresses that I block include both server and > user addresses and that I've not partitioned correctly. > > Do you have a complete list of IP CIDR blocks used by Comcast, > or know where they can be found? No I don't but I can point out the following smarthost servers (extracted from my own posts to the list) these hosts appear to be multi-homed with multiple IPs (try an A record query for one, you should get back several addresses).. I've organized them by IP range for your convenience. rwcrmhc11.comcast.net 204.127.192.81 rwcrmhc12.comcast.net 204.127.192.82 rwcrmhc13.comcast.net 204.127.192.83 rwcrmhc14.comcast.net 204.127.192.84 rwcrmhc15.comcast.net 204.127.192.85 rwcrmhc11.comcast.net 204.127.198.35 rwcrmhc12.comcast.net 204.127.198.39 rwcrmhc13.comcast.net 204.127.198.39 rwcrmhc12.comcast.net 204.127.192.82 rwcrmhc13.comcast.net 204.127.192.83 rwcrmhc14.comcast.net 204.127.192.84 rwcrmhc12.comcast.net 216.148.227.85 rwcrmhc14.comcast.net 216.148.227.89 rwcrmhc11.comcast.net 216.148.227.151 rwcrmhc12.comcast.net 216.148.227.152 rwcrmhc13.comcast.net 216.148.227.153 rwcrmhc14.comcast.net 216.148.227.154 > > I'm not sure I trust their SPF records... Comcast doesn't have any SPF records. > (actually, I doubt that they > allow zone transfers anyway) What does zone transfer have to do with SPF? Why would you want to zone transfer just to get a SPF record when it's a couple of TXT queries at most?
Re: Couple of newbie questions... (repost)
Hello, From: Matt Kettler <[EMAIL PROTECTED]> Subject: Re: Couple of newbie questions... (repost) Date: Mon, 06 Feb 2006 18:59:34 -0500 (snip...) > Consider this porn spam: > > Return-Path: <[EMAIL PROTECTED]> > Received: from bgp01061386bgs.taylor01.mi.comcast.net > (bgp01061386bgs.taylor01.mi.comcast.net [68.40.7.208]) > by xanadu.evi-inc.com (8.12.8/8.12.8) with SMTP id jBRAKsEn012564 > for <[EMAIL PROTECTED]>; Tue, 27 Dec 2005 05:21:12 -0500 I have some ideas catching spams come from 'comcast.net' dynamic IP. (1) updates 'HELO_DYNAMIC_COMCAST' #--- header HELO_DYNAMIC_COMCAST2 X-Spam-Relays-Untrusted =~ /helo=c-\d{2,3}(-\d{1,3}){3}\.hsd1\.\w\w\.comcast\.net .+ident= envfrom= intl=0 .+auth= / describe HELO_DYNAMIC_COMCAST2 Relay HELO'd using suspicious hostname (Comcast) score HELO_DYNAMIC_COMCAST2 2.800 2.800 3.237 3.500 #--- In '20_fake_helo_tests.cf', HELO_DYNAMIC_COMCAST is obsolete, I think. Comcast's FQDNs format are updated, almost all FQDNs are: | $ host 68.40.7.208 | Name: c-68-40-7-208.hsd1.mi.comcast.net | Address: 68.40.7.208 (2) make site-local rules Ex. All mails come to me are passed through receiver MTA 'mail.flcl.org'. So, I writes: #--- # Attention: Do not copy & paste below rules solely! # You MUST re-write 'by=', your receiver MTA! header DIRECTCOMCAST X-Spam-Relays-Untrusted =~ /rdns=c-\d{2,3}(-\d{1,3}){3}\.hsd1\.\w\w\.comcast\.net .+ by=mail\.flcl\.org ident= envfrom= intl=0 .+auth= / describe DIRECTCOMCAST directly received spam from COMCAST score DIRECTCOMCAST 1.0 meta ___DCN RAZOR2_CHECK || PYZOR_CHECK || DCC_CHECK meta DIRECTCOMCASTDCN ___DCN && DIRECTCOMCAST score DIRECTCOMCASTDCN 3.5 meta DIRECTCOMCAST99 BAYES_99 && DIRECTCOMCAST score DIRECTCOMCAST99 3.5 meta ___SURBL URIBL_AB_SURBL || URIBL_OB_SURBL || URIBL_PH_SURBL || URIBL_SC_SURBL || URIBL_WS_SURBL || URIBL_JP_SURBL || URIBL_SC2_SURBL || URIBL_XS_SURBL meta DIRECTCOMCASTSURBL ___SURBL && DIRECTCOMCAST score DIRECTCOMCASTSURBL 2.0 #--- First rule is detecting directly sent mail from dynamic IPs to my receiver MTA. But, it's just a probability of spams. So, I use meta rules for strictly detecting spams. > Also, comcast's cablemodem users are the biggest problem, as they're readily > infected by viruses. Comcast is usually fairly good about having RDNS for all > these. But, almost all IPs on comcast.net are set FQDNs. So, comcast.net's IPs are easier to decide whether dynamic IPs or not than asian ISPs IPs. -- Nothing but a peace sign. MATSUDA Yoh-ichi(yoh) mailto:[EMAIL PROTECTED] http://www.flcl.org/~yoh/diary/ (only Japanese)
Re: Couple of newbie questions... (repost)
Matt Kettler wrote: Philip Prindeville wrote: Matt Kettler wrote: Philip Prindeville wrote: I.e. any provider or country that doesn't have an institutional policy of prosecuting spam senders... Erm, so you're going to block all of the US, correct? No. We have laws against spam that hopefully most legitimate ISP's attempt to conform to. Erm, no we don't. U-CAN-SPAM doesn't exactly count as a law against spam. After all, there's nothing in it that prohibits spamming. As long as you follow a few rules about the format you can carpet bomb people with spam all you like. I does prohibit you from hiding or disguising your identity, however. No Phillip, You currently block comcast SERVER addresses. I use comcast's relays. I do NOT direct deliver. My message sent directly to you bounced. Then I've not deduced what addresses are used for users and which block is allocated to servers... Fair enough. This conversation started when I pointed out you were blocking comcast's *entire* network. I did so because you failed to accept mail properly relayed through their servers. I just went on www.arin.net and tried to do a match on all of Comcast's network handles, but unfortunately it gives no explanation as to how they are used (some addresses are reserved, for instance, for VoIP devices). I'll send them an email and see if they care to post the CIDR blocks. Earlier I suggested you should do this, and you essentially blew me off. Now you're trying to claim this is the configuration you use, when evidence suggests otherwise. You said that I was blocking based on Return-path:'s, and your argument was predicated on that. I don't block on Return-path's, as I've hopefully made clear. Yes, you made that clear in your last message in this thread.. I'm still unsure why you waited so long to point out your policy. Your earlier messages simply stated you block comcast. You made no qualifications about not blocking servers when you stated: "And I don't accept email from carriers that have a policy of not investigating external spam complaints. " That's a statement has a pretty strong implication that you aren't intending a partial block, but a complete absolute block of the whole ISP. Well, I don't know why that assumption was made... I spent years at Cisco, Wellfleet, Bellcore, and France Telecom (13 years total)... I'm an IP and routing person. I seek truth in dotted-quads. It's easy to forge a MAIL FROM:. It's a lot harder to forge a source address. It's possible that the addresses that I block include both server and user addresses and that I've not partitioned correctly. Do you have a complete list of IP CIDR blocks used by Comcast, or know where they can be found? No I don't but I can point out the following smarthost servers (extracted from my own posts to the list) these hosts appear to be multi-homed with multiple IPs (try an A record query for one, you should get back several addresses).. I've organized them by IP range for your convenience. rwcrmhc11.comcast.net 204.127.192.81 rwcrmhc12.comcast.net 204.127.192.82 rwcrmhc13.comcast.net 204.127.192.83 rwcrmhc14.comcast.net 204.127.192.84 rwcrmhc15.comcast.net 204.127.192.85 rwcrmhc11.comcast.net 204.127.198.35 rwcrmhc12.comcast.net 204.127.198.39 rwcrmhc13.comcast.net 204.127.198.39 rwcrmhc12.comcast.net 204.127.192.82 rwcrmhc13.comcast.net 204.127.192.83 rwcrmhc14.comcast.net 204.127.192.84 Ok, I've unblocked this class B. rwcrmhc12.comcast.net 216.148.227.85 rwcrmhc14.comcast.net 216.148.227.89 rwcrmhc11.comcast.net 216.148.227.151 rwcrmhc12.comcast.net 216.148.227.152 rwcrmhc13.comcast.net 216.148.227.153 rwcrmhc14.comcast.net 216.148.227.154 I managed to miss these. Go figure. I'm not sure I trust their SPF records... Comcast doesn't have any SPF records. That would be a good reason not to. (actually, I doubt that they allow zone transfers anyway) What does zone transfer have to do with SPF? Why would you want to zone transfer just to get a SPF record when it's a couple of TXT queries at most? My mistake... I was thinking of a previous DNS-based approach to authenticating email. I went back and read the SPF draft, and you're right, it's under the domain name and not keyed on the address. -Philip
Personal rule matching ToCc
Hi, I want to write a personal domain-wise rule The rule I am using now is header __TO_DOMAIN_NETToCc =~ /[EMAIL PROTECTED]/i But the above rule would match "@domain.net" as well as "@domain.net.in" Which is the best way to match only @domain.net and not @domain.net.in Thanks Ram