Re: Couple of newbie questions... (repost)

[Matt Kettler]

Philip Prindeville wrote:
> Matt Kettler wrote:
>
>> Philip Prindeville wrote:
>>
>> 
>>
>> Philip will get no further help from me until he modifies his ACLs.
>>
>> Final-Recipient: rfc822; <[EMAIL PROTECTED]>
>> Action: failed
>> Status: 5.1.0 MAIL FROM: <[EMAIL PROTECTED]> 550 REPLY:
>> 550_5.0.0_This_provider_is_blacklisted
>>
>> Sorry, I don't help people who block off entire email domains
>> containing millions of users and then request help on a global
>> mailing list.
>>  
>>
>
> And I don't accept email from carriers that have a policy of not
> investigating external spam complaints.
>
> When Comcast researches complaints from outside sources that
> their users are a spam source (and not just complaints from others
> of their own subscribers) then I'll stop blocking them.

While I can understand that, and I'm certainly no fan of comcast's
incident handling, do realize that you won't get any help from me as
long as you're blocking comcast. In general I view blanket blocklisting
of a large-scale ISP domain as a method of last resort reserved for ISPs
with truly egregious problems.

Also realize that nearly all of your comcast spam problems do not have
comcast email addresses as a return-path, and do not come through
comcast's smarthosts. They come direct from end-user nodes with your
typical spammer random return-path.

So while blocking email with a comcast.net return-path is a good protest
against the ISPs policies, it's going to do very little to aid your spam
problems. Make sure you're using a DUL RBL or blocking by RDNS of the
delivering IP, that will be considerably more effective against spam.

>
>

Re: Whitelist misunderstanding regarding performance

[Eric Carlson]

On Sat, 04 Feb 2006 11:22:59 -0500, you wrote:

>Eric Carlson wrote:
>> SA 3.0.2 on FC3. I added a whitelist_from entry for the local domain
>> in local.cf and understood it would add -100 to the score. The problem
>> is performance of mantis, our bugtracker, which sends email for each
>> action. Turns out SA is still scanning each mail where I really wanted
>> it to just ignore it totally. Is this possible please?
>SA does not support any "bail out of scan" features at present. Even if
>SA did have the feature (which is planned for a future release), you'd
>still have a lot of overhead because SA would not know this rule hit
>until after it had already parsed all the message headers.
>
>The best way to do this (and the only way right now) is to avoid calling
>SA in the first place. Depending on how you call SA this could be fairly
>easy (ie: if you use procmail, you can use a procmail rule to only scan
>some messages)

Hi, and sincere thanks for your help. I think I'm getting it now. The
problem is this is a hosted QMail installation and I really wouldn't
know how to apply a rule similar to the procmail one - any quick
pointers please?

>
>Also - warning DO NOT use whitelist_from on your localdomain. This rule
>is subject to being easily forged, and many spammers intentionally forge
>a From: address in your domain to try to take advantage of this. In
>general use whitelist_from_rcvd for whitelisting where-ever possible.

Ok, sounds right. The thing about the emails I know I don't want to
filter is they originate from localhost, i.e. mantis the bugtracker
and jive forums etc. Is that a smarter way to detect mail which
shouldn't be scanned?

-- ec

Problem with bayes

[Kryol]

Hi all,   
   
I have a problem with a Bayes.  
I've upgraded perl-5.8.5 to 5.8.7 then portupgrade of p5-Mail-Spamassassin was 
done.  
After sa-learn and restart I lost bayes marks in mail messages.  
   
I have a following strings in a local.cf:   
   
use_bayes 1   
bayes_path /usr/local/mail/spamassassin/bayes   
bayes_auto_learn 0 
bayes_file_mode 0770   
  
Also  
   
# ls -l /usr/local/mail/spamassassin/  
total 5504  
-rw-rw-rw-  1 spamd  spamd 7644 Feb  6 10:58 bayes.mutex  
-rw-rw  1 spamd  spamd 4296 Feb  6 15:34 bayes_journal  
-rw-rw-rw-  1 spamd  spamd   196608 Feb  6 10:58 bayes_seen  
-rw-rw-rw-  1 spamd  spamd  2473984 Feb  6 10:58 bayes_toks  
-rw-rw  1 spamd  spamd  2179072 Dec 23 10:04 bayes_toks.expire27736  
-rw-rw  1 spamd  spamd  1196032 Dec 23 10:04 bayes_toks.expire27744  
-rw-r--r--  1 root   spamd  108 Feb  6 14:32 razor-agent.log  
  
What may be wrong?  
   
Thanks,   
Kryol  
  
P.S. Also I attach the result of spamassassin -D --lint in file test.out 
 
eph1# spamassassin -D --lint --siteconfigpath=/usr/local/etc/mail/spamassassin
[10753] dbg: logger: adding facilities: all
[10753] dbg: logger: logging level is DBG
[10753] dbg: generic: SpamAssassin version 3.1.0
[10753] dbg: config: score set 0 chosen.
[10753] dbg: util: running in taint mode? yes
[10753] dbg: util: taint mode: deleting unsafe environment variables, resetting 
PATH
[10753] dbg: util: PATH included '/sbin', keeping
[10753] dbg: util: PATH included '/bin', keeping
[10753] dbg: util: PATH included '/usr/sbin', keeping
[10753] dbg: util: PATH included '/usr/bin', keeping
[10753] dbg: util: PATH included '/usr/games', keeping
[10753] dbg: util: PATH included '/usr/local/sbin', keeping
[10753] dbg: util: PATH included '/usr/local/bin', keeping
[10753] dbg: util: PATH included '/usr/X11R6/bin', which doesn't exist, dropping
[10753] dbg: util: PATH included '/root/bin', which doesn't exist, dropping
[10753] dbg: util: final PATH set to: 
/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin
[10753] dbg: dns: is Net::DNS::Resolver available? yes
[10753] dbg: dns: Net::DNS version: 0.55
[10753] dbg: dns: name server: xxx.xxx.xxx.xxx, family: 2, ipv6: 0
[10753] dbg: diag: perl platform: 5.008007 freebsd
[10753] dbg: diag: module installed: Digest::SHA1, version 2.11
[10753] dbg: diag: module installed: MIME::Base64, version 3.07
[10753] dbg: diag: module installed: HTML::Parser, version 3.48
[10753] dbg: diag: module installed: DB_File, version 1.811
[10753] dbg: diag: module installed: Net::DNS, version 0.55
[10753] dbg: diag: module installed: Net::SMTP, version 2.29
[10753] dbg: diag: module installed: Mail::SPF::Query, version 1.997
[10753] dbg: diag: module installed: IP::Country::Fast, version 309.002
[10753] dbg: diag: module installed: Razor2::Client::Agent, version 2.77
[10753] dbg: diag: module installed: Net::Ident, version 1.20
[10753] dbg: diag: module not installed: IO::Socket::INET6 ('require' failed)
[10753] dbg: diag: module installed: IO::Socket::SSL, version 0.97
[10753] dbg: diag: module installed: Time::HiRes, version 1.66
[10753] dbg: diag: module not installed: DBI ('require' failed)
[10753] dbg: diag: module installed: Getopt::Long, version 2.34
[10753] dbg: diag: module installed: LWP::UserAgent, version 2.033
[10753] dbg: diag: module installed: HTTP::Date, version 1.46
[10753] dbg: diag: module not installed: Archive::Tar ('require' failed)
[10753] dbg: diag: module not installed: IO::Zlib ('require' failed)
[10753] dbg: ignore: using a test message to lint rules
[10753] dbg: config: using "/usr/local/etc/mail/spamassassin" for site rules 
pre files
[10753] dbg: config: read file /usr/local/etc/mail/spamassassin/init.pre
[10753] dbg: config: read file /usr/local/etc/mail/spamassassin/v310.pre
[10753] dbg: config: using "/usr/local/share/spamassassin" for sys rules pre 
files
[10753] dbg: config: using "/usr/local/share/spamassassin" for default rules dir
[10753] dbg: config: read file /usr/local/share/spamassassin/10_misc.cf
[10753] dbg: config: read file /usr/local/share/spamassassin/20_advance_fee.cf
[10753] dbg: config: read file /usr/local/share/spamassassin/20_anti_ratware.cf
[10753] dbg: config: read file /usr/local/share/spamassassin/20_body_tests.cf
[10753] dbg: config: read file /usr/local/share/spamassassin/20_compensate.cf
[10753] dbg: config: read file /usr/local/share/spamassassin/20_dnsbl_tests.cf
[10753] dbg: config: read file /usr/local/share/spamassassin/20_drugs.cf
[10753] dbg: config: read file 
/usr/local/share/spamassassin/20_fake_helo_tests.cf
[10753] dbg: config: read file /usr/local/share/spamassassin/20_head_tests.cf
[10753] dbg: config: read file /usr/local/share/spamassassin/20_html_tests.cf
[10753] dbg: config: read file /usr/local/share/spamassassin/20_meta_tests.cf
[10753] dbg: config: read file /usr/local/share/spamassassin/20_net_tests.cf
[10753] dbg: config: read file /usr/local/share/spamassassin/20_phrases.cf
[10

FW: META: [EMAIL PROTECTED]: Norman De Forest - sad news]

[Chris Santerre]

Title: FW: META: [EMAIL PROTECTED]: Norman De Forest - sad news]






This is extremly sad news. Those that dealt with Norman, know what a great help he was. He will be greatly missed.


Posted to SPAM-L


- Forwarded message from Ant <[EMAIL PROTECTED]> -


> From: Ant <[EMAIL PROTECTED]>
> Newsgroups: alt.comp.virus,news.admin.net-abuse.email
> Subject: Norman De Forest - sad news
> Date: Fri, 3 Feb 2006 20:55:27 -
> 
> "It is with great sadness that we announce the passing away of
>  Norman De Forest ... In poor health and living in extreme poverty,
>  Norman's mind was rarely fettered by his circumstances and he quite
>  literally has helped thousands of people, both through Chebucto and
>  the internet and in real life. Like most truly generous people, he
>  kept his charity to himself and it is likely nobody alive knows the
>  true extent of his caring..."
> 
> http://beacon.chebucto.info/news.shtml
> 
> 
- End forwarded message -

Generate stats

[Benjamin Adams]

how do I generate stats on Spam Assassin?
percentages and things.

Thanks for the help
Ben

Re: Pump and Dump SARE rules

[Larry Starr]

On Sunday 05 February 2006 17:41, Doc Schneider wrote:
> Chris Santerre wrote:
> >  > -Original Message-
> >  > From: Doc Schneider [mailto:[EMAIL PROTECTED]
> >  > Sent: Friday, January 27, 2006 5:14 PM
> >  > To: users@spamassassin.apache.org
> >  > Subject: Pump and Dump SARE rules
> >  >
> >  >
> >  > http://rulesemporium.com/rules/70_sare_stocks.cf
> >  >
> >  > Is the latest addition to the SARE rule sets.
> >  >
> >  > -Doc (SARE Ninja)
> >
> > This has to be the MOST test ruleset of any SARE release. :)  If you
> > guys only knew how long Doc and the other SARE ninjas have been working
> > on this set. I think a giant *sigh* of relief can be heard throughout
> > the lands.
> >
> > Please give feedback.  And this set will be continualy updated.
> >
> > --Chris
>
> I just updated this ruleset with some new rules and also added in the
> counts for the scoring.
>
> Also updated http://www.rulesemporium.com/rules.htm adding this new set
> to it.
>
> And please if anyone is using this set let us know we like feedback!
>
> -Doc (SARE Ninja)

I've been using it, and it seems well worth while.
From today's logfile ( the first colum is it's ranking in the rules hit in 
spam and the last is the hit count):
   35  SARE_MLH_Stock1 159.000
   38  SARE_MLB_Stock1 130.000
   66  SARE_LWSHORTT   90.000
   72  SARE_MLB_Stock2 76.000
   86  SARE_RMML_Stock24   51.000
   96  SARE_LW1933 43.000
   98  SARE_LWSYMFMT   43.000
  111  SARE_MLB_Stock5 36.000

Thanks for your efforts!

-- 
Larry G. Starr - [EMAIL PROTECTED] or [EMAIL PROTECTED]
Software Engineer: Full Compass Systems LTD.
Phone: 608-831-7330 x 1347  FAX: 608-831-6330
===
There are only three sports: bullfighting, mountaineering and motor
racing, all the rest are merely games! - Ernest Hemmingway

Re: Generate stats

[Evan Platt]

On Mon, February 6, 2006 9:49 am, Benjamin Adams wrote:
> how do I generate stats on Spam Assassin?
> percentages and things.

http://www.cynistar.net/~apthorpe/code/sa-contrib/sa-stats.html

Is a good start, others might have some other reccomendations.

Evan

RE: Little custom rule

[Ruben Cardenal]

Hi again,

  I added them and had to change the 1st "{" in the 1st rule for a "(" in
order spamd not to complain about it. Anyway, it doesn't work :(

  Thanks anyway

Ruben

> -Mensaje original-
> De: Loren Wilton [mailto:[EMAIL PROTECTED]
> Enviado el: lunes, 06 de febrero de 2006 1:23
> Para: users@spamassassin.apache.org
> Asunto: Re: Little custom rule
> 
> > header __LW_BLAH1ALL =~
> /\nTo:[^<\n]+<[EMAIL PROTECTED])[^\n]+.*\nSubject:\s*Fw:
> > \1\b/i
> > header __LW_BLAH2ALL =~ /\nSubject:\s*Fw:
> > (\w+)[^\n]*.*\nTo:[^<\n]+<\1\@/i
> > metaLW_BLAH__LW_BLAH1 || __LW_BLAH2
> > scoreLW_BLAH1
> 
> I see those lines wrapped.  The first 4 lines above are really two lines.
> There is one space after the "Fw:" at the end of those wrapped lines, then
> the stuff on the second line.
> 
> Loren

query score for Re: r news 5860 spam

[Spamassassin List]

Hi,

I had been attacked by a spam ( http://60.49.100.123/news5860.txt ) in all 
my mail servers.

Surprising it has a 0:0 hit.

X-Spam-Status: No, score=0.0 required=5.0 tests=HTML_MESSAGE,UPPERCASE_25_50
   autolearn=disabled version=3.1.0

What are your scores? Which ruleset do u use to trap this spam?

best regards 

Re: Generate stats

[Benjamin Adams]

I'm running this on Mac OS X,
sa-stats is not located on the machine.
I tried installing through perl -MCPAN but it doesn't know what it is
I tried downloading it from spam assassin and running but missing  
perl additions.

Any other way program?

Ben

On Feb 6, 2006, at 1:18 PM, Evan Platt wrote:


On Mon, February 6, 2006 9:49 am, Benjamin Adams wrote:

how do I generate stats on Spam Assassin?
percentages and things.


http://www.cynistar.net/~apthorpe/code/sa-contrib/sa-stats.html

Is a good start, others might have some other reccomendations.

Evan

RE: query score for Re: r news 5860 spam

[Ruben Cardenal]

header MY_NEWS Subject =~
/^Re:\s[0-9]*[a-z]*\snews\s[0-9]*[0-9]*[0-9]*[0-9]*/i
score MY_NEWS 6

Ruben

> -Mensaje original-
> De: Spamassassin List [mailto:[EMAIL PROTECTED]
> Enviado el: lunes, 06 de febrero de 2006 19:56
> Para: users@spamassassin.apache.org
> Asunto: query score for Re: r news 5860 spam
> 
> Hi,
> 
> I had been attacked by a spam ( http://60.49.100.123/news5860.txt ) in all
> my mail servers.
> Surprising it has a 0:0 hit.
> 
> X-Spam-Status: No, score=0.0 required=5.0
> tests=HTML_MESSAGE,UPPERCASE_25_50
> autolearn=disabled version=3.1.0
> 
> What are your scores? Which ruleset do u use to trap this spam?
> 
> best regards

RE: query score for Re: r news 5860 spam

[Mike Sassaman]

I just got one like that a few minutes ago... this is what the log says:

Feb  6 14:05:37 mail spamd[26278]: result: Y  7 -
BAYES_95,HTML_90_100,HTML_MESSAGE,RCVD_IN_BL_SPAMCOP_NET,RCVD_IN_XBL



> -Original Message-
> From: Spamassassin List [mailto:[EMAIL PROTECTED]
> Sent: Monday, February 06, 2006 1:56 PM
> To: users@spamassassin.apache.org
> Subject: query score for Re: r news 5860 spam
> 
> 
> Hi,
> 
> I had been attacked by a spam ( 
> http://60.49.100.123/news5860.txt ) in all 
> my mail servers.
> Surprising it has a 0:0 hit.
> 
> X-Spam-Status: No, score=0.0 required=5.0 
> tests=HTML_MESSAGE,UPPERCASE_25_50
> autolearn=disabled version=3.1.0
> 
> What are your scores? Which ruleset do u use to trap this spam?
> 
> best regards 
> 

Re: Generate stats

[Andy Jezierski]

Benjamin Adams <[EMAIL PROTECTED]> wrote
on 02/06/2006 12:58:20 PM:

> I'm running this on Mac OS X,
> sa-stats is not located on the machine.
> I tried installing through perl -MCPAN but it doesn't know what it
is
> I tried downloading it from spam assassin and running but missing
 
> perl additions.
> Any other way program?
> 
> Ben
> 

From an earlier post by Dallas Engelken:


> SA 3.0.x - http://www.rulesemporium.com/programs/sa-stats.txt
> SA 3.1.x - http://www.rulesemporium.com/programs/sa-stats-1.0.txt

Andy

Re: Generate stats

[Benjamin Adams]

ok I have the file next thing, spamd has no log:I added the fallowing to syslog.conf!!spamddaemon.info                                             /var/log/spamddaemon.debug                                            /dev/null!*with this will /var/log/spamd file?or a directory where I need to pre-create the files for it to start logging?Thanks For the HelpBenOn Feb 6, 2006, at 2:29 PM, Andy Jezierski wrote:Benjamin Adams <[EMAIL PROTECTED]> wrote on 02/06/2006 12:58:20 PM:  > I'm running this on Mac OS X, > sa-stats is not located on the machine. > I tried installing through perl -MCPAN but it doesn't know what it is > I tried downloading it from spam assassin and running but missing   > perl additions. > Any other way program? >  > Ben >   From an earlier post by Dallas Engelken:   > SA 3.0.x - http://www.rulesemporium.com/programs/sa-stats.txt > SA 3.1.x - http://www.rulesemporium.com/programs/sa-stats-1.0.txt  Andy

RE: Little custom rule

[Loren Wilton]

>  I added them and had to change the 1st "{" in the 1st rule for a "(" in

Hum, yes.  That should have been a left parend.

>order spamd not to complain about it. Anyway, it doesn't work :(

Could try /is instead of just /i on the end of the regexes, that might help.

The trouble is this sort of rule normally takes a good half hour of fiddling 
with an example spam before it will hit reliably.  I normally write the rule, 
and when it doesn't work, I have to start taking it apart into pieces until I 
start getting things to hit, then put it back together until it works.

 Loren

RE: Little custom rule

[Ruben Cardenal]

Hi,

It seems it doesn't want to work, it just didn't match this:

From: "rkfexklqc" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Fw: oscarbru

Ruben


> -Mensaje original-
> De: Loren Wilton [mailto:[EMAIL PROTECTED]
> Enviado el: lunes, 06 de febrero de 2006 21:14
> Para: Ruben Cardenal; users@spamassassin.apache.org
> Asunto: RE: Little custom rule
> 
> >  I added them and had to change the 1st "{" in the 1st rule for a "(" in
> 
> Hum, yes.  That should have been a left parend.
> 
> >order spamd not to complain about it. Anyway, it doesn't work :(
> 
> Could try /is instead of just /i on the end of the regexes, that might
> help.
> 
> The trouble is this sort of rule normally takes a good half hour of
> fiddling with an example spam before it will hit reliably.  I normally
> write the rule, and when it doesn't work, I have to start taking it apart
> into pieces until I start getting things to hit, then put it back together
> until it works.
> 
>  Loren

RE: Little custom rule

[Loren Wilton]

>It seems it doesn't want to work, it just didn't match this:
>
>From: "rkfexklqc" <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>Subject: Fw: oscarbru

Ah, ok.  As I said, it would match names in <> characters, and not one of the 
dozen or so other valid formats.  You have one of those other formats.  Try 
this instead (also untested):

header __LW_BLAH1ALL =~ /\nTo: ([EMAIL PROTECTED]).+\nSubject:\s*Fw: \1\b/i

Loren

RE: Little custom rule

[Ruben Cardenal]

That one works! Thanks :)

Ruben

> -Mensaje original-
> De: Loren Wilton [mailto:[EMAIL PROTECTED]
> Enviado el: lunes, 06 de febrero de 2006 21:52
> Para: Ruben Cardenal; users@spamassassin.apache.org
> Asunto: RE: Little custom rule
> 
> >It seems it doesn't want to work, it just didn't match this:
> >
> >From: "rkfexklqc" <[EMAIL PROTECTED]>
> >To: [EMAIL PROTECTED]
> >Subject: Fw: oscarbru
> 
> Ah, ok.  As I said, it would match names in <> characters, and not one of
> the dozen or so other valid formats.  You have one of those other formats.
> Try this instead (also untested):
> 
> header __LW_BLAH1ALL =~ /\nTo: ([EMAIL PROTECTED]).+\nSubject:\s*Fw: 
> \1\b/i
> 
> Loren

Re: Spamassassin Spam Header

[Markus Braun]

header L_S_SW_LOWPRSubject =~/\bS[o0]ftw[a4]r[e3] At L[o0]w 
Pr[i1]c[e3]s?\b/i

You have a spurious line wrap above. Join it to the end of the line
above so that it will have the "w" followed by the "Pr[". That will
help. ALWAYS run "SpamAssassin --lint" when you make a change like that
and before you tell spamd to reaload.


score L_S_SW_LOWPR 3.0
describe L_S_SW_LOWPR  offers software at low price



{^_^}



I think i have a good idea. Each Day i move t he spam files into the folder 
.spam. In the night i make a cronjob called this:



0 1 * * *  vmail sa-learn  --spam /var/opt/vmail/marcus/Maildir/.spam/cur 
*.*


But i don know that the command is correct.

But he execute it as vmail user and not root. or?

marcus

_
Sie suchen E-Mails, Dokumente oder Fotos? Die neue MSN Suche Toolbar mit 
Windows-Desktopsuche liefert in sekundenschnelle Ergebnisse. Jetzt neu! 
http://desktop.msn.de/ Jetzt gratis downloaden!

Isn't numeric in addition ??

[Marc Perkel]

Getting a lot of these:

Argument "\0楰." isn't numeric in addition (+) at 
/usr/lib/perl5/site_perl/5.8.6/Mail/SpamAssassin/Bayes.pm line 1337, 
 line 663.


What is this?

Thanks in advance.

Re: Isn't numeric in addition ??

[Matt Kettler]

Marc Perkel wrote:
> Getting a lot of these:
> 
> Argument "\0楰." isn't numeric in addition (+) at
> /usr/lib/perl5/site_perl/5.8.6/Mail/SpamAssassin/Bayes.pm line 1337,
>  line 663.
> 
> What is this?

Usually the "isn't numeric in addition" errors are a severely borked
configuration option that you put something non-numeric in where a number 
belongs.

In this case it looks like a lot of really wild binary data is involved.

Can you run the following command and post the output?

head -n 1340 /usr/lib/perl5/site_perl/5.8.6/Mail/SpamAssassin/Bayes.pm |tail -n 
5

(note: watch out for word-wrap.. that's a one-line shell command.)

That will basically give us a "snippet" view of the affected code, which can
give us an idea what variables are being added so we know where to look for the
problem.

Re: Couple of newbie questions... (repost)

[Philip Prindeville]

Matt Kettler wrote:


Philip Prindeville wrote:
 


Matt Kettler wrote:

   


Philip Prindeville wrote:



Philip will get no further help from me until he modifies his ACLs.

Final-Recipient: rfc822; <[EMAIL PROTECTED]>
Action: failed
Status: 5.1.0 MAIL FROM: <[EMAIL PROTECTED]> 550 REPLY:
550_5.0.0_This_provider_is_blacklisted

Sorry, I don't help people who block off entire email domains
containing millions of users and then request help on a global
mailing list.


 


And I don't accept email from carriers that have a policy of not
investigating external spam complaints.

When Comcast researches complaints from outside sources that
their users are a spam source (and not just complaints from others
of their own subscribers) then I'll stop blocking them.
   



While I can understand that, and I'm certainly no fan of comcast's
incident handling, do realize that you won't get any help from me as
long as you're blocking comcast. In general I view blanket blocklisting
of a large-scale ISP domain as a method of last resort reserved for ISPs
with truly egregious problems.
 



I guess my last few experiences with Comcast lead me to
categorize them as egregious.



Also realize that nearly all of your comcast spam problems do not have
comcast email addresses as a return-path, and do not come through
comcast's smarthosts. They come direct from end-user nodes with your
typical spammer random return-path.
 



Right.  I believe that most ISP should have outgoing port 25 blocked
unless special provisions have been made, but that's my (fascist) point
of view.


So while blocking email with a comcast.net return-path is a good protest
against the ISPs policies, it's going to do very little to aid your spam
problems. Make sure you're using a DUL RBL or blocking by RDNS of the
delivering IP, that will be considerably more effective against spam.
 



I'm not protesting anything.

I'm refusing to accept email from Comcast until they become
better network citizens in the corporate sense.

A lot of ISP's don't provide RDNS for their IP pools... and with the advent
of PPPoA and PPPoE, DSL and Cable subscribers can have addresses
change in a matter of hours (as opposed to staying current for weeks at a
time which happens with DHCP, since you can continue to renew your
current allocation)... just as it does for dialup users when they hang up
and redial.

So my experience is that blocking based on rDNS is a waste of time,
and a lot of people on the mimedefang mailing list agree with that.

-Philip

Re: Couple of newbie questions... (repost)

[Matt Kettler]

Philip Prindeville wrote:

> 
> I'm not protesting anything.

So blocking Comcast is not a public gesture of disapproval?

http://dictionary.reference.com/search?q=protest

noun definition 2:

"An individual or collective gesture or display of disapproval."


> 
> I'm refusing to accept email from Comcast until they become
> better network citizens in the corporate sense.

Not all protests involve people with signs standing in the street.


> 
> A lot of ISP's don't provide RDNS for their IP pools... and with the advent
> of PPPoA and PPPoE, DSL and Cable subscribers can have addresses
> change in a matter of hours (as opposed to staying current for weeks at a
> time which happens with DHCP, since you can continue to renew your
> current allocation)... just as it does for dialup users when they hang up
> and redial.
> 
> So my experience is that blocking based on rDNS is a waste of time,
> and a lot of people on the mimedefang mailing list agree with that.

I hate to say it, but blocking based on return-path is an even greater waste of
time. Return-paths are readily forged.

While I'll agree that RDNS blocking isn't the greatest tool in the world, it's
certainly thousand times more useful in spam blocking than return-path.

Re: Couple of newbie questions... (repost)

[Richard Ozer]

Philip,

Methinks that's a very silly policy.  You're aren't hurting Comcast an iota; 
but you sure are penalizing yourself, your users, and their email contacts. 
A properly configured SA box will block spam from Comcast subscribers as 
well as from anyone else so I don't see what you are trying to accomplish.


IMHO, blocking entire ISP domains makes you part of the problem and not part 
of the solution...


Then again.. you might be the only user on your system; in which case ... 
who cares!


RO

- Original Message - 
From: "Philip Prindeville" <[EMAIL PROTECTED]>

To: "Matt Kettler" <[EMAIL PROTECTED]>
Cc: 
Sent: Monday, February 06, 2006 3:30 PM
Subject: Re: Couple of newbie questions... (repost)



Matt Kettler wrote:


Philip Prindeville wrote:


Matt Kettler wrote:



Philip Prindeville wrote:



Philip will get no further help from me until he modifies his ACLs.

Final-Recipient: rfc822; <[EMAIL PROTECTED]>
Action: failed
Status: 5.1.0 MAIL FROM: <[EMAIL PROTECTED]> 550 REPLY:
550_5.0.0_This_provider_is_blacklisted

Sorry, I don't help people who block off entire email domains
containing millions of users and then request help on a global
mailing list.



And I don't accept email from carriers that have a policy of not
investigating external spam complaints.

When Comcast researches complaints from outside sources that
their users are a spam source (and not just complaints from others
of their own subscribers) then I'll stop blocking them.



While I can understand that, and I'm certainly no fan of comcast's
incident handling, do realize that you won't get any help from me as
long as you're blocking comcast. In general I view blanket blocklisting
of a large-scale ISP domain as a method of last resort reserved for ISPs
with truly egregious problems.



I guess my last few experiences with Comcast lead me to
categorize them as egregious.



Also realize that nearly all of your comcast spam problems do not have
comcast email addresses as a return-path, and do not come through
comcast's smarthosts. They come direct from end-user nodes with your
typical spammer random return-path.



Right.  I believe that most ISP should have outgoing port 25 blocked
unless special provisions have been made, but that's my (fascist) point
of view.


So while blocking email with a comcast.net return-path is a good protest
against the ISPs policies, it's going to do very little to aid your spam
problems. Make sure you're using a DUL RBL or blocking by RDNS of the
delivering IP, that will be considerably more effective against spam.



I'm not protesting anything.

I'm refusing to accept email from Comcast until they become
better network citizens in the corporate sense.

A lot of ISP's don't provide RDNS for their IP pools... and with the 
advent

of PPPoA and PPPoE, DSL and Cable subscribers can have addresses
change in a matter of hours (as opposed to staying current for weeks at a
time which happens with DHCP, since you can continue to renew your
current allocation)... just as it does for dialup users when they hang up
and redial.

So my experience is that blocking based on rDNS is a waste of time,
and a lot of people on the mimedefang mailing list agree with that.

-Philip

Re: Couple of newbie questions... (repost)

[Matt Kettler]

Matt Kettler wrote:

>> So my experience is that blocking based on rDNS is a waste of time,
>> and a lot of people on the mimedefang mailing list agree with that.
> 
> I hate to say it, but blocking based on return-path is an even greater waste 
> of
> time. Return-paths are readily forged.
> 
> While I'll agree that RDNS blocking isn't the greatest tool in the world, it's
> certainly thousand times more useful in spam blocking than return-path.

And in case that doesn't make sense to you, consider this. I have a half dozen
spams in my inbox today which were sent by comcast.net PCs (I get very few
because I greylist all comcast end-user nodes).. Zero of these spam mails have a
comcast.net email address as the return.

I'd suggest checking your own mail.


Consider this porn spam:

Return-Path: <[EMAIL PROTECTED]>
Received: from bgp01061386bgs.taylor01.mi.comcast.net
(bgp01061386bgs.taylor01.mi.comcast.net [68.40.7.208])
by xanadu.evi-inc.com (8.12.8/8.12.8) with SMTP id jBRAKsEn012564
for <[EMAIL PROTECTED]>; Tue, 27 Dec 2005 05:21:12 -0500



If you're blocking by email address in the return-path only you're not
protecting yourself at all from the bulk of the spam sent by infected comcast
end-users.

Keep your return-path block in place if you like, it will wind up blocking spam
forging comcast addresses sent from other networks. However, I suspect you'll
find that hostname is considerably more effective here. It will certainly be
more effective at eliminating spam emanated by infected PCs in comcast's 
network.

Also, comcast's cablemodem users are the biggest problem, as they're readily
infected by viruses. Comcast is usually fairly good about having RDNS for all 
these.

Re: Couple of newbie questions... (repost)

[Philip Prindeville]

Matt Kettler wrote:


Philip Prindeville wrote:

 


I'm not protesting anything.
   



So blocking Comcast is not a public gesture of disapproval?

http://dictionary.reference.com/search?q=protest

noun definition 2:

"An individual or collective gesture or display of disapproval."
 



No, it's an effective counter-measure to spam.



I'm refusing to accept email from Comcast until they become
better network citizens in the corporate sense.
   



Not all protests involve people with signs standing in the street.
 



Why should I attempt to triage messages from them into spam and non-spam
categories, if they aren't going to make any use of that effort by 
investigating

the spam complaints?

I will work with them when they're ready to work with me.



A lot of ISP's don't provide RDNS for their IP pools... and with the advent
of PPPoA and PPPoE, DSL and Cable subscribers can have addresses
change in a matter of hours (as opposed to staying current for weeks at a
time which happens with DHCP, since you can continue to renew your
current allocation)... just as it does for dialup users when they hang up
and redial.

So my experience is that blocking based on rDNS is a waste of time,
and a lot of people on the mimedefang mailing list agree with that.
   



I hate to say it, but blocking based on return-path is an even greater waste of
time. Return-paths are readily forged.
 



Which is why I block on incoming IP addresses.  It's an artifact of Sendmail
to not generate an error response until the MAIL FROM: has been seen...




While I'll agree that RDNS blocking isn't the greatest tool in the world, it's
certainly thousand times more useful in spam blocking than return-path.


 



Perhaps, but I'm not doing anything with Return-paths.

Telnet to my server and check for yourself.

-Philip

Re: Couple of newbie questions... (repost)

[Philip Prindeville]

Richard Ozer wrote:


Philip,

Methinks that's a very silly policy.  You're aren't hurting Comcast an 
iota; but you sure are penalizing yourself, your users, and their 
email contacts. A properly configured SA box will block spam from 
Comcast subscribers as well as from anyone else so I don't see what 
you are trying to accomplish.



I am my users, for the most part.

I run a small start-up company and run the mail server here.

I have no regular correspondents that are Comcast subscribers, outside
of the occasional respondent from a mailing list such as Matt.

As for properly configured SA... Well, maybe I'm lacking technical
competence and going for the low-hanging fruit, then.

Spam does occasionally get in, and I will report it to the provider if I
believe for an instant that they will investigate it in good faith.

Yes, I block Comcast.  I also block ALL of these Japanese, Thai,
Chinese (Chicom only), Korean, Singaporean, New Zealander,
Romanian, Italian, Polish, ... (get the idea) network addresses that I
was able to deduce through CIDR block inferences.

I.e. any provider or country that doesn't have an institutional policy
of prosecuting spam senders...

BTW:  A finer point is that I block Comcast USER IP addresses.  If
Comcast has mail servers that have a separate address block (and most
ISP's do) and users send their outgoing email through their provider's
relay, then I will happily accept those messages.  I will not accept email
coming from the subscriber IP address blocks, however.

IMHO, blocking entire ISP domains makes you part of the problem and 
not part of the solution...



I'm not generating spam, so I fail to see the equivalence.  Nor am I 
providing a relay

or other "safe haven" for spammers.

It's a nice platitude, but doesn't bear up to scrutiny.

It smacks of a sort of "us" and "them" mentality.  In addition to "us" 
and "them",

there's also "everyone else".


Then again.. you might be the only user on your system; in which case 
... who cares!



Exactly.  You've come around to my point of view.

-Philip



RO

[OT] SpamAssassin Developer for Hire

[Duncan Findlay]

I am currently seeking employment for 8 or 9 weeks in May and June
2006.[1] I would greatly enjoy working for a company involved in the
anti-spam / e-mail security industry, especially if it would allow me
to use or contribute to the Apache SpamAssassin project.

As you may know, I've been a SpamAssassin developer since 2002,
although I have contributed little recently -- being at school
full-time seems to get in the way of that. Last summer, I worked for
IronPort Systems as an Anti-Spam Developer and I greatly enjoyed the
experience.

I am located in Toronto, Ontario (Canada) and/or Kingston, Ontario,
and I am not eager to relocate for such a short term. I would be
interested in working in either of these two cities or the surrounding
areas, or remotely.[2]

If your company would be interested in hiring a highly motivated and
skilled young computer programmer with extensive experience in the
anti-spam industry, I would love to hear from you.

I realize that this is a rather short period of time, but I am
confident I could tackle a sizeable project in this time frame.

My resume is available online at the following address:

http://people.apache.org/~duncf/DuncanFindlay.pdf

Please feel free to forward this message to anyone that may
interested. References are available on request.

Thank you,
Duncan Findlay

[1] More precisely, I'd like to work May, June and the first little
bit of July. I am going to be travelling in Europe for the last half
of the summer, from mid-July to the end of August.

[2] Some travel, on the other hand, would be perfectly fine. I just do
not want to deal with the hassles of finding somewhere to live,
furnishings, etc. for a short period. If this were a permanent job, I
would be happy to relocate.


signature.asc
Description: Digital signature

Re: Couple of newbie questions... (repost)

[Matt Kettler]

Philip Prindeville wrote:
>
> I.e. any provider or country that doesn't have an institutional policy
> of prosecuting spam senders...
Erm, so you're going to block all of the US, correct?
> BTW:  A finer point is that I block Comcast USER IP addresses.  If
> Comcast has mail servers that have a separate address block (and most
> ISP's do) and users send their outgoing email through their provider's
> relay, then I will happily accept those messages.  I will not accept
> email
> coming from the subscriber IP address blocks, however.

No Phillip, You currently block comcast SERVER addresses. I use
comcast's relays. I do NOT direct deliver. My message sent directly to
you bounced.

Earlier I suggested you should do this, and you essentially blew me off.
Now you're trying to claim this is the configuration you use, when
evidence suggests otherwise.


>
>> IMHO, blocking entire ISP domains makes you part of the problem and
>> not part of the solution...

>> Then again.. you might be the only user on your system; in which case
>> ... who cares!
>
>
> Exactly.  You've come around to my point of view.

I agree. I only care to the extent that I refuse to offer free tech help
to those that block my ISP. *shrug*

Re: Couple of newbie questions... (repost)

[Daryl C. W. O'Shea]

Philip Prindeville wrote:


As for properly configured SA... Well, maybe I'm lacking technical
competence and going for the low-hanging fruit, then.


Refusing help from Matt Kettler sure rules out getting a lot of that 
low-hanging fruit.



Daryl

Re[2]: spam still isn't being caught much.

[Robert Menschel]

Hello Brian,

Sunday, February 5, 2006, 4:52:00 AM, you wrote:

BSM> If I use spamassassin -D --lint then it reveals that I'm at 3.0.2

BSM> I have posted the x-spam-status from 15 messages at
BSM> http://www.meehanontheweb.com/xspamstatus.txt
BSM> (the "software_spam_rule", which looks for 'software' in the subject, is
BSM> one I wrote in local.cf)

BSM> Autolearn sometimes says "failed" but most often says "no".

BSM> Sans rules, here is what I have in local.cf:

Sans rules?  What rules do you have in local.cf?  When you do a
spamassassin --lint (no -D for this test), do you get any error
messages? An error in custom rules could contribute to the problems
you're having.

Bob Menschel

Re: Couple of newbie questions... (repost)

[Philip Prindeville]

Matt Kettler wrote:


Philip Prindeville wrote:
 


I.e. any provider or country that doesn't have an institutional policy
of prosecuting spam senders...
   


Erm, so you're going to block all of the US, correct?
 



No.  We have laws against spam that hopefully most legitimate ISP's attempt
to conform to.



BTW:  A finer point is that I block Comcast USER IP addresses.  If
Comcast has mail servers that have a separate address block (and most
ISP's do) and users send their outgoing email through their provider's
relay, then I will happily accept those messages.  I will not accept
email
coming from the subscriber IP address blocks, however.
   



No Phillip, You currently block comcast SERVER addresses. I use
comcast's relays. I do NOT direct deliver. My message sent directly to
you bounced.
 



Then I've not deduced what addresses are used for users and which
block is allocated to servers...



Earlier I suggested you should do this, and you essentially blew me off.
Now you're trying to claim this is the configuration you use, when
evidence suggests otherwise.
 



You said that I was blocking based on Return-path:'s, and your
argument was predicated on that.

I don't block on Return-path's, as I've hopefully made clear.

It's possible that the addresses that I block include both server and
user addresses and that I've not partitioned correctly.

Do you have a complete list of IP CIDR blocks used by Comcast,
or know where they can be found?

I'm not sure I trust their SPF records...  (actually, I doubt that they
allow zone transfers anyway)

-Philip



IMHO, blocking entire ISP domains makes you part of the problem and
not part of the solution...
 



 


Then again.. you might be the only user on your system; in which case
... who cares!
 


Exactly.  You've come around to my point of view.
   



I agree. I only care to the extent that I refuse to offer free tech help
to those that block my ISP. *shrug*


 

RE: Couple of newbie questions... (repost)

[Gary W. Smith]

Philip, 

>From what I have read, people have given you complete and logic advice
on how to do this properly.  Yeah, the US has laws regarding SPAM.  They
also have laws on drinking and driving.  Law's are reactive.  But, if
you wish to forego the advice of list members then you should probably
really think about the next question.  Is the mini-flame war you're
tying to conduct productive to the preventing of spam, i.e. this group?

I'd check the archives... Matt's been around for a while.  He's advice
is usually on the money.

Gary Wayne Smith

> -Original Message-
> From: Philip Prindeville [mailto:[EMAIL PROTECTED]
> Sent: Monday, February 06, 2006 8:16 PM
> To: Matt Kettler
> Cc: users@spamassassin.apache.org
> Subject: Re: Couple of newbie questions... (repost)
> 
> Matt Kettler wrote:
> 
> >Philip Prindeville wrote:
> >
> >
> >>I.e. any provider or country that doesn't have an institutional
policy
> >>of prosecuting spam senders...
> >>
> >>
> >Erm, so you're going to block all of the US, correct?
> >
> >
> 
> No.  We have laws against spam that hopefully most legitimate ISP's
> attempt
> to conform to.
> 

Re: Couple of newbie questions... (repost)

[Philip Prindeville]

I'm not waging any mini-flames.

I was asked (and I assumed it was with sincerity) what
I did and why, and I answered with sincerity.

I'm not saying what I do is the best solution, or advocate
anyone else doing the same thing.

And yes, we have laws against drinking and driving: If
I said that I was a tee-totaler that never left the house and didn't
drive, would anyone try to convince me that I should live
otherwise?

-Philip


Gary W. Smith wrote:

Philip, 


From what I have read, people have given you complete and logic advice
on how to do this properly.  Yeah, the US has laws regarding SPAM.  They
also have laws on drinking and driving.  Law's are reactive.  But, if
you wish to forego the advice of list members then you should probably
really think about the next question.  Is the mini-flame war you're
tying to conduct productive to the preventing of spam, i.e. this group?

I'd check the archives... Matt's been around for a while.  He's advice
is usually on the money.

Gary Wayne Smith

 


-Original Message-
From: Philip Prindeville [mailto:[EMAIL PROTECTED]
Sent: Monday, February 06, 2006 8:16 PM
To: Matt Kettler
Cc: users@spamassassin.apache.org
Subject: Re: Couple of newbie questions... (repost)

Matt Kettler wrote:

   


Philip Prindeville wrote:


 


I.e. any provider or country that doesn't have an institutional
   


policy
 


of prosecuting spam senders...


   


Erm, so you're going to block all of the US, correct?


 


No.  We have laws against spam that hopefully most legitimate ISP's
attempt
to conform to.

   

Re: Couple of newbie questions... (repost)

[Matt Kettler]

Philip Prindeville wrote:
> Matt Kettler wrote:
>
>> Philip Prindeville wrote:
>>  
>>
>>> I.e. any provider or country that doesn't have an institutional policy
>>> of prosecuting spam senders...
>>>   
>> Erm, so you're going to block all of the US, correct?
>>  
>>
>
> No.  We have laws against spam that hopefully most legitimate ISP's
> attempt
> to conform to.

Erm, no we don't. U-CAN-SPAM doesn't exactly count as a law against
spam. After all, there's nothing in it that prohibits spamming. As long
as you follow a few rules about the format you can carpet bomb people
with spam all you like.
>
>> No Phillip, You currently block comcast SERVER addresses. I use
>> comcast's relays. I do NOT direct deliver. My message sent directly to
>> you bounced.
>>  
>>
>
> Then I've not deduced what addresses are used for users and which
> block is allocated to servers...

Fair enough. This conversation started when I pointed out you were
blocking comcast's *entire* network. I did so because you failed to
accept mail properly relayed through their servers.

>
>
>> Earlier I suggested you should do this, and you essentially blew me off.
>> Now you're trying to claim this is the configuration you use, when
>> evidence suggests otherwise.
>>  
>>
>
> You said that I was blocking based on Return-path:'s, and your
> argument was predicated on that.
>
> I don't block on Return-path's, as I've hopefully made clear.
Yes, you made that clear in your last message in this thread.. I'm still
unsure why you waited so long to point out your policy. Your earlier
messages simply stated you block comcast. You made no qualifications
about not blocking servers when you stated:

"And I don't accept email from carriers that have a policy of not 
investigating external spam complaints. "

That's a statement has a pretty strong implication that you aren't
intending a partial block, but a complete absolute block of the whole ISP.
>
> It's possible that the addresses that I block include both server and
> user addresses and that I've not partitioned correctly.
>
> Do you have a complete list of IP CIDR blocks used by Comcast,
> or know where they can be found?
No I don't but I can point out the following smarthost servers
(extracted from my own posts to the list) these hosts appear to be
multi-homed with multiple IPs (try an A record query for one, you should
get back several addresses).. I've organized them by IP range for your
convenience.

rwcrmhc11.comcast.net 204.127.192.81
rwcrmhc12.comcast.net 204.127.192.82
rwcrmhc13.comcast.net 204.127.192.83
rwcrmhc14.comcast.net 204.127.192.84
rwcrmhc15.comcast.net 204.127.192.85

rwcrmhc11.comcast.net 204.127.198.35
rwcrmhc12.comcast.net 204.127.198.39
rwcrmhc13.comcast.net 204.127.198.39

rwcrmhc12.comcast.net 204.127.192.82
rwcrmhc13.comcast.net 204.127.192.83
rwcrmhc14.comcast.net 204.127.192.84

rwcrmhc12.comcast.net 216.148.227.85
rwcrmhc14.comcast.net 216.148.227.89

rwcrmhc11.comcast.net 216.148.227.151
rwcrmhc12.comcast.net 216.148.227.152
rwcrmhc13.comcast.net 216.148.227.153
rwcrmhc14.comcast.net 216.148.227.154

>
> I'm not sure I trust their SPF records...
Comcast doesn't have any SPF records.
> (actually, I doubt that they
> allow zone transfers anyway)
What does zone transfer have to do with SPF? Why would you want to zone
transfer just to get a SPF record when it's a couple of TXT queries at most?

Re: Couple of newbie questions... (repost)

[MATSUDA Yoh-ichi]

Hello,

From: Matt Kettler <[EMAIL PROTECTED]>
Subject: Re: Couple of newbie questions... (repost)
Date: Mon, 06 Feb 2006 18:59:34 -0500

(snip...)

> Consider this porn spam:
> 
> Return-Path: <[EMAIL PROTECTED]>
> Received: from bgp01061386bgs.taylor01.mi.comcast.net
> (bgp01061386bgs.taylor01.mi.comcast.net [68.40.7.208])
>   by xanadu.evi-inc.com (8.12.8/8.12.8) with SMTP id jBRAKsEn012564
>   for <[EMAIL PROTECTED]>; Tue, 27 Dec 2005 05:21:12 -0500

I have some ideas catching spams come from 'comcast.net' dynamic IP.

(1) updates 'HELO_DYNAMIC_COMCAST'

#---
header HELO_DYNAMIC_COMCAST2 X-Spam-Relays-Untrusted =~ 
/helo=c-\d{2,3}(-\d{1,3}){3}\.hsd1\.\w\w\.comcast\.net .+ident= envfrom= intl=0 
.+auth= /
describe HELO_DYNAMIC_COMCAST2 Relay HELO'd using suspicious hostname (Comcast)
score HELO_DYNAMIC_COMCAST2 2.800 2.800 3.237 3.500
#---

In '20_fake_helo_tests.cf', HELO_DYNAMIC_COMCAST is obsolete, I think.
Comcast's FQDNs format are updated, almost all FQDNs are:

| $ host 68.40.7.208
| Name: c-68-40-7-208.hsd1.mi.comcast.net
| Address: 68.40.7.208


(2) make site-local rules

Ex.
All mails come to me are passed through receiver MTA 'mail.flcl.org'.
So, I writes:

#---
# Attention: Do not copy & paste below rules solely!
# You MUST re-write 'by=', your receiver MTA!
header DIRECTCOMCAST X-Spam-Relays-Untrusted =~ 
/rdns=c-\d{2,3}(-\d{1,3}){3}\.hsd1\.\w\w\.comcast\.net .+ by=mail\.flcl\.org 
ident= envfrom= intl=0 .+auth= /
describe DIRECTCOMCAST directly received spam from COMCAST
score DIRECTCOMCAST 1.0

meta ___DCN RAZOR2_CHECK || PYZOR_CHECK || DCC_CHECK

meta DIRECTCOMCASTDCN ___DCN && DIRECTCOMCAST
score DIRECTCOMCASTDCN 3.5

meta DIRECTCOMCAST99 BAYES_99 && DIRECTCOMCAST
score DIRECTCOMCAST99 3.5

meta ___SURBL URIBL_AB_SURBL || URIBL_OB_SURBL || URIBL_PH_SURBL || 
URIBL_SC_SURBL || URIBL_WS_SURBL || URIBL_JP_SURBL || URIBL_SC2_SURBL || 
URIBL_XS_SURBL

meta DIRECTCOMCASTSURBL ___SURBL && DIRECTCOMCAST
score DIRECTCOMCASTSURBL 2.0
#---

First rule is detecting directly sent mail from dynamic IPs to my 
receiver MTA.
But, it's just a probability of spams.
So, I use meta rules for strictly detecting spams.

> Also, comcast's cablemodem users are the biggest problem, as they're readily
> infected by viruses. Comcast is usually fairly good about having RDNS for all 
> these.

But, almost all IPs on comcast.net are set FQDNs.
So, comcast.net's IPs are easier to decide whether dynamic IPs or not 
than asian ISPs IPs.
--
Nothing but a peace sign.
MATSUDA Yoh-ichi(yoh)
mailto:[EMAIL PROTECTED]
http://www.flcl.org/~yoh/diary/ (only Japanese)

Re: Couple of newbie questions... (repost)

[Philip Prindeville]

Matt Kettler wrote:


Philip Prindeville wrote:
 


Matt Kettler wrote:

   


Philip Prindeville wrote:


 


I.e. any provider or country that doesn't have an institutional policy
of prosecuting spam senders...
 
   


Erm, so you're going to block all of the US, correct?


 


No.  We have laws against spam that hopefully most legitimate ISP's
attempt
to conform to.
   



Erm, no we don't. U-CAN-SPAM doesn't exactly count as a law against
spam. After all, there's nothing in it that prohibits spamming. As long
as you follow a few rules about the format you can carpet bomb people
with spam all you like.
 



I does prohibit you from hiding or disguising your identity, however.



No Phillip, You currently block comcast SERVER addresses. I use
comcast's relays. I do NOT direct deliver. My message sent directly to
you bounced.


 


Then I've not deduced what addresses are used for users and which
block is allocated to servers...
   



Fair enough. This conversation started when I pointed out you were
blocking comcast's *entire* network. I did so because you failed to
accept mail properly relayed through their servers.
 



I just went on www.arin.net and tried to do a match on all of Comcast's
network handles, but unfortunately it gives no explanation as to how
they are used (some addresses are reserved, for instance, for VoIP devices).

I'll send them an email and see if they care to post the CIDR blocks.



Earlier I suggested you should do this, and you essentially blew me off.
Now you're trying to claim this is the configuration you use, when
evidence suggests otherwise.


 


You said that I was blocking based on Return-path:'s, and your
argument was predicated on that.

I don't block on Return-path's, as I've hopefully made clear.
   


Yes, you made that clear in your last message in this thread.. I'm still
unsure why you waited so long to point out your policy. Your earlier
messages simply stated you block comcast. You made no qualifications
about not blocking servers when you stated:

"And I don't accept email from carriers that have a policy of not 
investigating external spam complaints. "


That's a statement has a pretty strong implication that you aren't
intending a partial block, but a complete absolute block of the whole ISP.
 



Well, I don't know why that assumption was made...  I spent years at
Cisco, Wellfleet, Bellcore, and France Telecom (13 years total)...  I'm an
IP and routing person.  I seek truth in dotted-quads.

It's easy to forge a MAIL FROM:.  It's a lot harder to forge a source 
address.



It's possible that the addresses that I block include both server and
user addresses and that I've not partitioned correctly.

Do you have a complete list of IP CIDR blocks used by Comcast,
or know where they can be found?
   


No I don't but I can point out the following smarthost servers
(extracted from my own posts to the list) these hosts appear to be
multi-homed with multiple IPs (try an A record query for one, you should
get back several addresses).. I've organized them by IP range for your
convenience.

rwcrmhc11.comcast.net 204.127.192.81
rwcrmhc12.comcast.net 204.127.192.82
rwcrmhc13.comcast.net 204.127.192.83
rwcrmhc14.comcast.net 204.127.192.84
rwcrmhc15.comcast.net 204.127.192.85

rwcrmhc11.comcast.net 204.127.198.35
rwcrmhc12.comcast.net 204.127.198.39
rwcrmhc13.comcast.net 204.127.198.39

rwcrmhc12.comcast.net 204.127.192.82
rwcrmhc13.comcast.net 204.127.192.83
rwcrmhc14.comcast.net 204.127.192.84
 



Ok, I've unblocked this class B.


rwcrmhc12.comcast.net 216.148.227.85
rwcrmhc14.comcast.net 216.148.227.89

rwcrmhc11.comcast.net 216.148.227.151
rwcrmhc12.comcast.net 216.148.227.152
rwcrmhc13.comcast.net 216.148.227.153
rwcrmhc14.comcast.net 216.148.227.154
 



I managed to miss these.  Go figure.



I'm not sure I trust their SPF records...
   


Comcast doesn't have any SPF records.
 



That would be a good reason not to.



(actually, I doubt that they
allow zone transfers anyway)
   


What does zone transfer have to do with SPF? Why would you want to zone
transfer just to get a SPF record when it's a couple of TXT queries at most?
 



My mistake...  I was thinking of a previous DNS-based approach to
authenticating email.  I went back and read the SPF draft, and you're
right, it's under the domain name and not keyed on the address.

-Philip

Personal rule matching ToCc

[Ramprasad]

Hi,
   I want to write a personal domain-wise rule 
The rule I am using now is 

 header __TO_DOMAIN_NETToCc =~ /[EMAIL PROTECTED]/i

But the above rule would match "@domain.net" as well as
"@domain.net.in" 
Which is the best way to match only @domain.net and not @domain.net.in 

Thanks
Ram