Re: Any of you able to block this SPAM?
On Montag, 8. Mai 2006 10:34 Trevor wrote: I've been receiving a number of these emails below. Are any of you getting them and having any luck blocking them? Yes, your message made: X-Spam-Status: Yes, hits=7.945 tagged_above=-999 required=5 tests=HTML_IMAGE_ONLY_08=3.126, HTML_MESSAGE=0.001, HTML_TITLE_EMPTY=0.214, INVALID_TZ_GMT=1.042, RELAY_AT=0.01, SARE_GIF_ATTACH=0.75, SARE_GIF_STOX=1.66, SPF_FAIL=1.142 mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660/4156531 .network.your.ideas. // PGP Key: lynx -source http://zmi.at/zmi3.asc | gpg --import // Fingerprint: 44A3 C1EC B71E C71A B4C2 9AA6 C818 847C 55CB A4EE // Keyserver: www.keyserver.net Key-ID: 0x55CBA4EE pgpEW5wgG32cK.pgp Description: PGP signature
SPF whitelisting from id for all sub domains
Hi, I am using spamassassin with postfix on Linux. I am using def_whitelist_from_spf rules for whitlelisting popular newsletter mails Some domains send mails with from id as a subdomain of the main domain. for eg [EMAIL PROTECTED] How do I whitelist such ids ( the subdomain does not have a SPF record ) Thanks Ram
Re: Latest sa-stats from last week
On Montag, 8. Mai 2006 21:52 Mike Jackson wrote: DNS_FROM_RFC_ABUSE but to have your #1 *ham* rule be one that's supposed to identify *spam* doesn't speak well for the rule Isn't the intention of RFC_ABUSE to list any site that abuses RFC? So you can't really believe that it wants to identify SPAM, but rather domains which do not play within the rules. For the same reason, SPF cannot be used to identify SPAM or HAM. It's to see if a message is forged, nothing more. Of course, it hits for SPAM trying to forge messages, so that way it helps a lot... mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660/4156531 .network.your.ideas. // PGP Key: lynx -source http://zmi.at/zmi3.asc | gpg --import // Fingerprint: 44A3 C1EC B71E C71A B4C2 9AA6 C818 847C 55CB A4EE // Keyserver: www.keyserver.net Key-ID: 0x55CBA4EE pgpVjG2VFd6gf.pgp Description: PGP signature
SoC student application deadline extended
http://google-code-updates.blogspot.com/2006/05/soc-student-application-deadline-has.html Monday, May 08, 2006 SoC Student Application Deadline Has Been Extended We've decided to extend the Summer of Code 2006 student application deadline to 11:00 PDT on Tuesday, May 9th. Thanks to all of you who've applied and for those who haven't yet, keep those applications coming! posted by Leslie Hawthorn at 3:22 PM
RE: Latest sa-stats from last week
jdow wrote:
From: Bowie Bailey [EMAIL PROTECTED]
wrote:
TOP SPAM RULES FIRED
RANKRULE NAME COUNT %OFRULES
%OFMAIL %OFSPAM %OFHAM
1 URIBL_BLACK 1633977.09
29.11 78.050.50
Nice.
How does that Queen song go?? We... are... ;)
LOL! Congrats!
I'll second that! I think the network tests are taking over...
TOP SPAM RULES FIRED
RANKRULE NAMECOUNT %OFRULES %OFMAIL %OFSPAM %OFHAM
6 BAYES_99 26754 4.19 44.49 67.00 3.06
Holy spoo! Bayes can do MUCH better than that!
{O.O}
I'm sure it can, but I've got per-user Bayes and most of my users
don't bother to train it.
--
Bowie
Re: Latest sa-stats from last week
On Dienstag, 9. Mai 2006 16:18 Bowie Bailey wrote: I've got per-user Bayes and most of my users don't bother to train it. Another reason for site-wide bayes, I'd say. mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660/4156531 .network.your.ideas. // PGP Key: lynx -source http://zmi.at/zmi3.asc | gpg --import // Fingerprint: 44A3 C1EC B71E C71A B4C2 9AA6 C818 847C 55CB A4EE // Keyserver: www.keyserver.net Key-ID: 0x55CBA4EE pgp6OPCY4LnaC.pgp Description: PGP signature
RE: spams regarding financing of residence and GeoCities
Title: RE: spams regarding financing of residence and GeoCities I heard some people opine that GeoCities is doing a lot to combat spam. I received a recent spam about financing of residence that sent me to a Geocities page. Just how difficult would it be to block similar kinds of pages? Not too difficult if they wanted to. So, I am not sure if they are really trying to stay on top of the game. I've screamed about this various time on various lists. It ABSOLUTELY can be brought under control. And they are NOT doing enough to stop it. Writing local rules is only a bandaid. Chris Santerre SysAdmin and SARE/URIBL ninja http://www.uribl.com http://www.rulesemporium.com
My only problem with URIBL_BLACK
I probably get a FP about once a week as somebody will opt in a mailing list and a listed URL is in the mailing. When I get these complaints, I exempt the mailing list from the procmail rules so that the mailing list doesn't get scanned by SA. Just my 2 cents. | This isn't to say that URIBL_BLACK isn't useful, or that you | guys aren't doing a good job. However, this is good evidence | you guys are doing great, but you do still have some areas | that could use improvement. | | | thanks, i think. ;) | | our fp ratio for ham has always been hanging at that level. i think thats a | good sign. it means the data in our zones that are causing those ham hits | have not changed, and no one has notified us that they need removal. | doesnt worry me a bit. | | we welcome your delist requests if you actually find a FP (that we can agree | on) on black.uribl.com. :) | | d | |
RE: Latest sa-stats from last week
Michael Monnerie wrote: On Dienstag, 9. Mai 2006 16:18 Bowie Bailey wrote: I've got per-user Bayes and most of my users don't bother to train it. Another reason for site-wide bayes, I'd say. I've considered that, but it won't work in our setup. This box scans our internal email as well as all of our customer's email. Since we are in an entirely different line of business from our customers, what we consider to be ham and spam will be quite different from theirs. If I could train it on both sets, it might work, but I don't have access to any of their emails for training. Also, I really prefer a per-user bayes for our internal email since there are various accounts that get a specific type of ham and work very well with Bayes. -- Bowie
Re: Latest sa-stats from last week
| Holy spoo! Bayes can do MUCH better than that!
| {O.O}
|
| I'm sure it can, but I've got per-user Bayes and most of my users
| don't bother to train it.
|
I'm in a similar situation as Bowie. I had to turn of Bayes as mail that was
obviously spam was
getting a Bayes_0 pulling the # back down under the threshold.
RE: My only problem with URIBL_BLACK
But. There are some spammers who run subscribe to mailing lists. I got spam at home the other day from ediets.co.uk, for example. I call this stuff subscription spam and would block most of it anyway. Cheers, Phil Phil Randal Network Engineer Herefordshire Council Hereford, UK -Original Message- From: [mailto:[EMAIL PROTECTED] Sent: 08 May 2006 22:38 To: [EMAIL PROTECTED]; users@spamassassin.apache.org Subject: My only problem with URIBL_BLACK I probably get a FP about once a week as somebody will opt in a mailing list and a listed URL is in the mailing. When I get these complaints, I exempt the mailing list from the procmail rules so that the mailing list doesn't get scanned by SA. Just my 2 cents. | This isn't to say that URIBL_BLACK isn't useful, or that you | guys aren't doing a good job. However, this is good evidence | you guys are doing great, but you do still have some areas | that could use improvement. | | | thanks, i think. ;) | | our fp ratio for ham has always been hanging at that level. i think thats a | good sign. it means the data in our zones that are causing those ham hits | have not changed, and no one has notified us that they need removal. | doesnt worry me a bit. | | we welcome your delist requests if you actually find a FP (that we can agree | on) on black.uribl.com. :) | | d | |
RE: Latest sa-stats from last week
-Original Message-
From: [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 09, 2006 10:27
To: Bowie Bailey; users@spamassassin.apache.org
Subject: Re: Latest sa-stats from last week
| Holy spoo! Bayes can do MUCH better than that!
| {O.O}
|
| I'm sure it can, but I've got per-user Bayes and most of my users
| don't bother to train it.
|
I'm in a similar situation as Bowie. I had to turn of Bayes
as mail that was obviously spam was getting a Bayes_0 pulling
the # back down under the threshold.
so why not just score BAYES_00, BAYES_20, etc all at at 0... and keep
BAYES_99, BAYES_95, etc scoring what they score. if you trust its spam
accuracy but not its ham accuracy, that would be the logical way to go i
would say?
d
Re: Latest sa-stats from last week
| I'm in a similar situation as Bowie. I had to turn of Bayes | as mail that was obviously spam was getting a Bayes_0 pulling | the # back down under the threshold. | | | so why not just score BAYES_00, BAYES_20, etc all at at 0... and keep | BAYES_99, BAYES_95, etc scoring what they score. if you trust its spam | accuracy but not its ham accuracy, that would be the logical way to go i | would say? Hmm...good point. I think I'll try that. Smack on head
Re: My only problem with URIBL_BLACK
| But. | | There are some spammers who run subscribe to mailing lists. | | I got spam at home the other day from ediets.co.uk, for example. | | I call this stuff subscription spam and would block most of it anyway. | | Cheers, | | Phil Easier said than done when you have a paying customer who wants this specific mailing.
[no subject]
Does anyone know if the AuthCourier.pm module that is described on the page linked below works with SA 3.1.1? http://da.andaka.org/Doku/courier-spamassassin.html -- Bowie
Re: My only problem with URIBL_BLACK
wrote: | But. | | There are some spammers who run subscribe to mailing lists. | | I got spam at home the other day from ediets.co.uk, for example. | | I call this stuff subscription spam and would block most of it anyway. | | Cheers, | | Phil Easier said than done when you have a paying customer who wants this specific mailing. Have you tried lowering the score of the spamassassin rules that are getting hit? Jay
RE: My only problem with URIBL_BLACK
Title: RE: My only problem with URIBL_BLACK | But. | | There are some spammers who run subscribe to mailing lists. | | I got spam at home the other day from ediets.co.uk, for example. | | I call this stuff subscription spam and would block most of it anyway. | | Cheers, | | Phil Easier said than done when you have a paying customer who wants this specific mailing. Voluntary Human Shileds. They should find another provider, as the needs of the many outweight the needs of the few. --Chris
RE: Latest sa-stats from last week
Title: RE: Latest sa-stats from last week | I'm in a similar situation as Bowie. I had to turn of Bayes | as mail that was obviously spam was getting a Bayes_0 pulling | the # back down under the threshold. | | | so why not just score BAYES_00, BAYES_20, etc all at at 0... and keep | BAYES_99, BAYES_95, etc scoring what they score. if you trust its spam | accuracy but not its ham accuracy, that would be the logical way to go i | would say? Hmm...good point. I think I'll try that. Smack on head At least you got to smack your own head. Dallas usually just sneaks up on me and *SMACK*. And he don't have those delicate little balarena hands! He calls it his D'man sledgehammer fist of fury! To this day, I still can't remember anything from 1988. I'm told I'm not missing much. --Chris
Re: My only problem with URIBL_BLACK
| | Easier said than done when you have a paying customer who wants this specific mailing. | | Have you tried lowering the score of the spamassassin rules that are | getting hit? | | Jay I'll look at a couple of the examples and see what else is firing. I may have to tune URI_BLACK down a tad. I'll let you know.
RE: My only problem with URIBL_BLACK
-Original Message- From: [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 09, 2006 11:44 To: Jay Lee Cc: users@spamassassin.apache.org Subject: Re: My only problem with URIBL_BLACK | | Easier said than done when you have a paying customer who wants this specific mailing. | | Have you tried lowering the score of the spamassassin rules that are | getting hit? | | Jay I'll look at a couple of the examples and see what else is firing. I may have to tune URI_BLACK down a tad. I'll let you know. if you could, please submit these. they may be good candidates for moving to grey if nothing else. d
SPAM: Tangled web of fun....
Title: SPAM: Tangled web of fun Alright, so I'm eating lunch and catching up on my sports car forum, where a buddy posts about a possible scam from selling something on craigslist. He gets an email (I don't have the headers.) supposedly from the USPS: I'm sniping a lot of useless info out.bear with me, this is interesting... From: United States Postal Service [mailto:[EMAIL PROTECTED]] Dear x, Congratulations! The order placed by the buyer of your item: Mrs. to have a United States Postal Service branded Money OrderSM $xxx:00 USD sent to you as payment for the item: xx has been successfully processed and has consequently been APPROVED. The financial details of the transaction are stated below: *snip* === ***ATTENTION*** The order has been APPROVED, you CAN NOW ship the merchandise to the buyer's shipping address. You are expected to make the shipment within 48 hours of recieving this Payment Confirmation Notification and get to our Costumer/Technical Dept. with the tracking number for Shipment Verification via: [EMAIL PROTECTED] The Money OrderSM will NOT be dispatched or get to your resident until the shipment has been verified. This measure is taken in order to protect both seller and buyer interests and to reduce the occurrence of fraudulent activities. blah blah blah. ship here: 238 S 8th St. Blair, NE, 68008 Ok, I figure I'll help him, its lunch and I'm boredObviously USPS isn't in the escrow business. accountant.com Gerald Gorman 33 Knightsbridge Rd. Piscataway, NJ 08854 US Phone: 9086960929 Meh...not much to go onGorman is a squatter??? Blair Address comes back as... No Frills Supermarket 238 S 8th St Blair, NE 68008-2410 Phone: (402) 426-4757 1999 image: http://terraserver.microsoft.com/tile.ashx?t=1=10=3699=23016=14 hm...okinteresting... nofrillssupermarket.com The IP host is very suspect, but not on any RBL: 64.74.134.64 Registrant: Navigation Catalyst Systems, Inc 2101 Rosecrans Ave., #2000 El Segundo, California 90245 United States which redirects to prescriptionsmedicines.net Same Whois info 209.132.212.132 Which points to a ROKSO spammer!!! http://www.spamhaus.org/sbl/sbl.lasso?query=SBL27304 So has a ROKSO now gotten so desperate they now try to fraud people out of junk on craigslist? :) Anyone near Blair want to grab some photos of the place for fun? Chris Santerre SysAdmin and SARE/URIBL ninja http://www.uribl.com http://www.rulesemporium.com
Re: Latest sa-stats from last week
[EMAIL PROTECTED] wrote on
05/09/2006 10:27:27 AM:
| Holy spoo! Bayes can do MUCH better than that!
| {O.O}
|
| I'm sure it can, but I've got per-user Bayes and most of my users
| don't bother to train it.
|
I'm in a similar situation as Bowie. I had to turn of Bayes
as mail
that was obviously spam was
getting a Bayes_0 pulling the # back down under the threshold.
I've got a sitewide Bayes and have had to lower Bayes_99
way down. I just can't seem to get it trained properly to save my
soul. Under SA 2.6x, Bayes ROCKED. Just can't seem to get it
under control on 3.x. Already started from scratch a couple of times.
SPAM
RANK RULE NAME
COUNT %OFRULES %OFMAIL
%OFSPAM %OFHAM
2 BAYES_99
7598
5.93 13.90 64.07 14.77
23 BAYES_50
1718
1.34 3.14 14.49 36.42
28 BAYES_80
857
0.67 1.57 7.23 3.71
30 BAYES_60
792
0.62 1.45 6.68 4.28
33 BAYES_95
703
0.55 1.29 5.93 2.10
HAM
___
2 BAYES_50
15593
8.98 28.52 14.49 36.42
3 BAYES_00
12350
7.11 22.59 0.44 28.85
6 BAYES_99
6323
3.64 11.57 64.07 14.77
19 BAYES_60
1831
1.05 3.35 6.68 4.28
21 BAYES_40
1634
0.94 2.99 0.65 3.82
22 BAYES_80
1590
0.92 2.91 7.23 3.71
24 BAYES_20
1519
0.88 2.78 0.35 3.55
29 BAYES_05
1077
0.62 1.97 0.16 2.52
32 BAYES_95
897
0.52 1.64 5.93 2.10
Andy
Re: My only problem with URIBL_BLACK
wrote:
|
| Easier said than done when you have a paying customer who wants this
specific mailing.
|
| Have you tried lowering the score of the spamassassin rules that are
| getting hit?
|
| Jay
I'll look at a couple of the examples and see what else is firing. I may
have to tune URI_BLACK
down a tad. I'll let you know.
For reference, here's my running config:
urirhssub URIBL_BLACK multi.uribl.com.A 2
bodyURIBL_BLACK eval:check_uridnsbl('URIBL_BLACK')
describeURIBL_BLACK Contains an URL listed in the URIBL blacklist
tflags URIBL_BLACK net
score URIBL_BLACK 1.5
urirhssub URIBL_GREY multi.uribl.com.A 4
bodyURIBL_GREY eval:check_uridnsbl('URIBL_GREY')
describeURIBL_GREY Contains an URL listed in the URIBL greylist
tflags URIBL_GREY net
score URIBL_GREY 0.1
#adjustment to SURBL lists to control FPs with double-hits
meta URIBL_BLACK_OVERLAP (URIBL_BLACK (URIBL_AB_SURBL || URIBL_JP_SURBL ||
URIBL_OB_SURBL || URIBL_WS_SURBL || URIBL_SC_SURBL))
score URIBL_BLACK_OVERLAP -1.0
Reasons:
I've scored URIBL_BLACK at 1.5 due to it having the worst S/O of any URIBL other
than PH and GREY. (0.993 in the mass-check Theo posted)
I've scored GREY at 0.1 as an informational rule. It's S/O is so poor it is more
qualified to be a nonspam rule. ( 0.354 in the nightly mass-check Theo posted)
I've added the overlap deduction because the scores of all the other URIBL's
hosted by surbl.org are already balanced and tuned for accuracy without
URIBL_BLACK. Adding more rules offsets that balance, and this tries to
compensate.
The net effect of my configuration causes URIBL_BLACK to score 1.5 when it fires
alone, but drops it back to 0.5 when other SURBL lists fire.
RE: My only problem with URIBL_BLACK
Title: RE: My only problem with URIBL_BLACK I've scored GREY at 0.1 as an informational rule. It's S/O is so poor it is more qualified to be a nonspam rule. ( 0.354 in the nightly mass-check Theo posted) Thats actually perfect. Exactly what it was designed to be :) Had it been around .8xx I would have been worried. I don't expect that to ever be over .55 at most. --Chris
Nasty bug? in 3.1.1 headers inserting?
Hi, I have come across a nasty issue after upgrading from 3.0.2 to 3.1.1 last weekend. Somehow the escape sequence when inserting headers into messages. Has changed from \n\t to \n\r\t See the two log examples below. Apr 30 04:36:14 zpm sendmail[27183]: k3U2ZMeZ027183: Milter add: header: X-Spam-Status: Yes, score=21.4 required=5.0 tests=BAYES_99,DCC_CHECK,\n\tDOMAIN_RATIO,HTML_90_100,HTML_IMAGE_ONLY_08,HTML_MESSAGE,\n\tMIME_HTML_MOSTLY,MIME_QP_LONG_LINE,MPART_ALT_DIFF,PLING_PLING,\n\tURIBL_OB_SURBL,URIBL_SBL,URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=no \n\tversion=3.0.2 May 9 15:37:03 zpm sendmail[25589]: k49DaweE025589: Milter add: header: X-Spam-Status: Yes, score=21.5 required=6.0 tests=DCC_CHECK,\r\n\tDNS_FROM_RFC_ABUSE,FORGED_HOTMAIL_RCVD,FORGED_MUA_OUTLOOK,\r\n\tFORGED_OUTLOOK_HTML,FORGED_OUTLOOK_TAGS,HTML_10_20,HTML_MESSAGE,\r\n\tHTML_MIME_NO_HTML_TAG,HTTPS_IP_MISMATCH,INVALID_DATE,MIME_HTML_ONLY,\r\n\tMISSING_HEADERS,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,TO_CC_NONE,\r\n\tX_PRIORITY_HIGH autolearn=spam version=3.1.1 You can disable the inserting of spam/ham headers and the issue is gone, but then ofcourse the milter no longer works correctly, as it needs the headers to extract the score from the message. It results in these messages: May 9 19:13:28 zpm spamass-milter[14281]: Could not extract score from I wonder why the escape sequence suddenly includes a carriage return (\r) together with the newline (\n) and tab (\t). I use this machine as a spam removal gateway for my Exchange environment and Exchange is not amused by the carriage return and writes the part of the header after that and any other headers directly into the body of the message. I am using spamassassin 3.1.1, milter 0.3.0 sendmail 8.12.10 on redhat enterprise 3.0 I use the following local.cf. This is all configuration I have, all mail is checked for user root, as it is for Exchange and not local. required_hits 6 rewrite_header Subject [SPAM (_HITS_)] report_safe 1 trusted_networks 10.10. lock_method flock skip_rbl_checks 0 clear_headers #add_header all DCC _DCCB_: _DCCR_ dns_available yes ok_locales nl en use_dcc 1 dcc_home /var/dcc dcc_path /usr/local/bin/dccproc def_whitelist_from_rcvd [EMAIL PROTECTED] wizdom.nu use_razor2 1 use_bayes 1 bayes_path /var/lib/spamassassin/bayes use_bayes_rules 1 bayes_auto_learn 1 bayes_auto_learn_threshold_spam 8.0 bayes_ignore_header X-XS4ALL-DNSBL bayes_file_mode 0777 bayes_journal_max_size 1048576 bayes_expiry_max_db_size 60 use_auto_whitelist 1 Anybody has any ideas how this can be fixed? -Sietse
Re: My only problem with URIBL_BLACK
Chris Santerre wrote: Easier said than done when you have a paying customer who wants this specific mailing. Voluntary Human Shileds. They should find another provider, as the needs of the many outweight the needs of the few. Are you referring to 's customers, or anyone who's using URIBL_BLACK? I personally have this problem too. The more severe issue is that once in a rare while some of the stuff that cross-hits URIBL_BLACK is actually business mail from a distributor who's referencing pdf's of sales flyers that are hosted on grey server. Removing the duplicates, I've submitted 11 delist or demote to grey requests to URIBL via the web-form so far this year. Two were business related (I used non-business samples in my submissions). There's also at least one that was submitted via email report only. Admittedly they all get handled well, but that's an awful lot, particularly considering these are just the FP's *I* happened to notice. In the same timeframe I've found no domains that needed adding. (my last add was 09/2005)
Re[2]: Latest sa-stats from last week
Hello Rick, Monday, May 8, 2006, 4:07:53 PM, you wrote: Interesting, my Razor stats show a MUCH higher false positive rate, so much so that I had to lower the scores dramatically. Spam Ham 1 RAZOR2_CHECK 9744 6.79 33.40 82.848.18 2 RAZOR2_CF_RANGE_51_1009303 6.48 31.89 79.097.37 6 RAZOR2_CF_RANGE_E8_51_100 5597 3.90 19.18 47.590.52 8 RAZOR2_CF_RANGE_E4_51_100 5111 3.56 17.52 43.456.86 Ahh but I think everyone might be missing a minor point and that's the design of this script. These FPs on HAM rules are just a best guess, say a spam message only scores 3.0 and is not considered spam, any of the rules that hit on that message are now going to be part of your ham classification for SA-Stats. I noticed this when installing this script on my server. So just cause it says it hit 8.18% of ham, doesn't really mean those hits were really on ham, only what SA thought was HAM... hth -- Best regards, Fredmailto:[EMAIL PROTECTED]
Re: My only problem with URIBL_BLACK
Chris Santerre wrote: Are you referring to 's customers, or anyone who's using URIBL_BLACK? Just his customer. :) I'm not that crazy! Are you sure? :) Oh, wait.. I forgot.. the first rule of the crazy sysadmins club is...
Re: Nasty bug? in 3.1.1 headers inserting?
On Tue, May 09, 2006 at 07:26:29PM +0200, Sietse van Zanen wrote: Somehow the escape sequence when inserting headers into messages. Has changed from \n\t to \n\r\t Sort of, \r\n\t. I wonder why the escape sequence suddenly includes a carriage return (\r) together with the newline (\n) and tab (\t). I use this machine as a spam removal gateway for my Exchange environment and Exchange is not amused by the carriage return and writes the part of the header after that and any other headers directly into the body of the message. This has been discussed before, but the basics are that SpamAssassin was previously always just adding in \n, which caused problems on some platforms where the line endings were supposed to be \r\n. After much debate about which way (\r\n vs \n vs ...) was correct, and whether or not changing the behavior was a UI/API change versus a bug fix, etc, we added in a patch to have the line ending determined and then use that when adding in headers. Now SpamAssassin does the right thing no matter what kind of line ending you throw at it. However, while half the people are happy that this happens now, the other half are annoyed that the previous \n-only behavior isn't the default anymore. I am using spamassassin 3.1.1, milter 0.3.0 sendmail 8.12.10 on redhat enterprise 3.0 [...] Anybody has any ideas how this can be fixed? There's some difference of opinion around this question, but my general opinion is that there should be an update to spamass-milter which properly handles the newlines either way. I'm not sure whether or not that's happened yet. -- Randomly Generated Tagline: A liar isn't believed even when he speaks the truth. pgpywEx6eybTX.pgp Description: PGP signature
Re: SPAM: Tangled web of fun....
On May 9, 2006, at 1:06 PM, Chris Santerre wrote: The Money OrderSM will NOT be dispatched or get to your resident until the shipment has been verified. This measure is taken in order to protect both seller and buyer interests and to reduce the occurrence of fraudulent activities. aka, 'the check is in the mail'. yeah, right...
RE: My only problem with URIBL_BLACK
Title: RE: My only problem with URIBL_BLACK -Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 09, 2006 1:32 PM To: Chris Santerre Cc: users@spamassassin.apache.org Subject: Re: My only problem with URIBL_BLACK Chris Santerre wrote: Easier said than done when you have a paying customer who wants this specific mailing. Voluntary Human Shileds. They should find another provider, as the needs of the many outweight the needs of the few. Are you referring to 's customers, or anyone who's using URIBL_BLACK? Just his customer. :) I'm not that crazy! --Chris
AuthCourier.pm module for SA 3.1.1
Does anyone know if the AuthCourier.pm module that is described on the page linked below works with SA 3.1.1? http://da.andaka.org/Doku/courier-spamassassin.html I seem to have forgotten to include a subject line on my first message. Sorry for the duplication. -- Bowie
RE: My only problem with URIBL_BLACK
Title: RE: My only problem with URIBL_BLACK -Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 09, 2006 2:12 PM To: Chris Santerre Cc: users@spamassassin.apache.org Subject: Re: My only problem with URIBL_BLACK Chris Santerre wrote: I've scored GREY at 0.1 as an informational rule. It's S/O is so poor it is more qualified to be a nonspam rule. ( 0.354 in the nightly mass-check Theo posted) Thats actually perfect. Exactly what it was designed to be :) Had it been around .8xx I would have been worried. I don't expect that to ever be over .55 at most. Then why is the suggested score on uribl.com 0.25 for this list? http://www.uribl.com/usage.shtml If you're expecting the S/O to be that low it should be very near or below 0. (I'm going to revise my own config to 0.001 for this one) Cause if there are other rules that fire, then this might just be a SPAM that is using a greyhats URL. So adding that slight little bit to score, may be just the nudge it needed to get pushed over the score limit. But if it is a ham, and no other larger spam scores hit, then its score of .25 is insignifigant. I think of these rules as herbs and spices. Adds just a bit of flavor, but doesn't take away from the flavor of the key ingredient. Spam or Ham :) --Chris
Re: My only problem with URIBL_BLACK
RE: My only problem with URIBL_BLACKHere's one that just got captured. The mailing was from Monster.com and the customer is livid :-( X-Spam-Report: * 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 1.1 URIBL_SBL Contains an URL listed in the SBL blocklist * [URIs: uhmcargo_MUNGED.net] * 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: uhmcargo_MUNGED.net] * 3.4 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist * [URIs: uhmcargo_MUNGED.net] I had to _MUNGED the domain because the mailing hit 13.5 and bounced The threshold is 5.5 Here is from my original stats post: 1URIBL_BLACK 1633977.09 29.11 78.050.50 5URIBL_JP_SURBL 1182515.13 21.07 56.480.09 What are your thoughts guys? Lower the score for URI_BLACK and JP?
RE: My only problem with URIBL_BLACK
Title: RE: My only problem with URIBL_BLACK -Original Message- From: [mailto:[EMAIL PROTECTED]] Sent: Tuesday, May 09, 2006 3:12 PM To: Chris Santerre; 'Matt Kettler' Cc: users@spamassassin.apache.org Subject: Re: My only problem with URIBL_BLACK RE: My only problem with URIBL_BLACKHere's one that just got captured. The mailing was from Monster.com and the customer is livid :-( X-Spam-Report: * 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 1.1 URIBL_SBL Contains an URL listed in the SBL blocklist * [URIs: uhmcargo_MUNGED.net] * 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: uhmcargo_MUNGED.net] * 3.4 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist * [URIs: uhmcargo_MUNGED.net] I had to _MUNGED the domain because the mailing hit 13.5 and bounced The threshold is 5.5 Here is from my original stats post: 1 URIBL_BLACK 163397 7.09 29.11 78.05 0.50 5 URIBL_JP_SURBL 118251 5.13 21.07 56.48 0.09 What are your thoughts guys? Lower the score for URI_BLACK and JP? Its not an FP. http://groups.google.com/group/misc.writing.screenplays.moderated/browse_frm/thread/e7fca5612bbf5aa3/fc75be5ae3052cbb?lnk=st=uhmcargo.net=1=en#fc75be5ae3052cbb --Chris
RE: My only problem with URIBL_BLACK
-Original Message- From: [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 09, 2006 14:12 To: Chris Santerre; 'Matt Kettler' Cc: users@spamassassin.apache.org Subject: Re: My only problem with URIBL_BLACK RE: My only problem with URIBL_BLACKHere's one that just got captured. The mailing was from Monster.com and the customer is livid :-( X-Spam-Report: * 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 1.1 URIBL_SBL Contains an URL listed in the SBL blocklist * [URIs: uhmcargo_MUNGED.net] * 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: uhmcargo_MUNGED.net] * 3.4 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist * [URIs: uhmcargo_MUNGED.net] I had to _MUNGED the domain because the mailing hit 13.5 and bounced The threshold is 5.5 Here is from my original stats post: 1URIBL_BLACK 1633977.09 29.11 78.050.50 5URIBL_JP_SURBL 1182515.13 21.07 56.480.09 What are your thoughts guys? Lower the score for URI_BLACK and JP? seriously? the domains is 3 days old and is unreachable, and uses outfitter.net NS's which appear to have an identity crisis. April 25th, ns1.outfiter.net 206.173.156.105 ns2.outfiter.net 24.98.13.40 April 27th, ns1.outfiter.net 24.182.165.233 ns2.outfiter.net 67.64.112.94 May 4th, ns1.outfiter.net 24.247.114.91 ns2.outfiter.net 68.36.53.205 May 8th, ns1.outfiter.net 24.168.96.193 ns2.outfiter.net 24.247.114.91 Right Now, ns1.outfitter.net 66.199.187.181 ns2.outfitter.net 66.199.187.181 dallas
Re: My only problem with URIBL_BLACK
Chris and Dallas, Thank you for pointing this out. I will convey this back to the customer. - Original Message - From: Dallas L. Engelken [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Tuesday, May 09, 2006 1:20 PM Subject: RE: My only problem with URIBL_BLACK | -Original Message- | From: [mailto:[EMAIL PROTECTED] | Sent: Tuesday, May 09, 2006 14:12 | To: Chris Santerre; 'Matt Kettler' | Cc: users@spamassassin.apache.org | Subject: Re: My only problem with URIBL_BLACK | | RE: My only problem with URIBL_BLACKHere's one that just got | captured. The mailing was from Monster.com and the customer | is livid :-( | | X-Spam-Report: | * 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts | * 1.1 URIBL_SBL Contains an URL listed in the SBL blocklist | * [URIs: uhmcargo_MUNGED.net] | * 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist | * [URIs: uhmcargo_MUNGED.net] | * 3.4 URIBL_JP_SURBL Contains an URL listed in the JP SURBL | blocklist | * [URIs: uhmcargo_MUNGED.net] | | I had to _MUNGED the domain because the mailing hit 13.5 and bounced | | The threshold is 5.5 | | | Here is from my original stats post: | 1URIBL_BLACK 1633977.09 29.11 | 78.050.50 | 5URIBL_JP_SURBL 1182515.13 21.07 | 56.480.09 | | What are your thoughts guys? Lower the score for URI_BLACK and JP? | | | seriously? the domains is 3 days old and is unreachable, and uses | outfitter.net NS's which appear to have an identity crisis. | | April 25th, | ns1.outfiter.net 206.173.156.105 | ns2.outfiter.net 24.98.13.40 | | April 27th, | ns1.outfiter.net 24.182.165.233 | ns2.outfiter.net 67.64.112.94 | | May 4th, | ns1.outfiter.net 24.247.114.91 | ns2.outfiter.net 68.36.53.205 | | May 8th, | ns1.outfiter.net 24.168.96.193 | ns2.outfiter.net 24.247.114.91 | | Right Now, | ns1.outfitter.net 66.199.187.181 | ns2.outfitter.net 66.199.187.181 | | | | | | | | dallas | | |
Here's another to look at
X-Spam-Report: * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record * 1.7 EXCUSE_6 BODY: Claims you can be removed from the list * 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: goldenpalace_MUNGE.com] * 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist * [URIs: goldenpalace_MUNGE.com] X-Spam-Status: Yes, score=6.3 required=5.5 tests=EXCUSE_6=1.746, SPF_HELO_PASS=-0.001,URIBL_BLACK=4,URIBL_WS_SURBL=1.533 autolearn=disabled version=3.1.0 Subject:[ReveNews] - 5 New Entries This was a mailing list a paying customer signed up for. Keep in mind that the FP's are real low, I may just keep the scores as is and deal with these mailing lists as they pop up.
Re: My only problem with URIBL_BLACK
Chris Santerre wrote: -Original Message- From: [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 09, 2006 3:12 PM To: Chris Santerre; 'Matt Kettler' Cc: users@spamassassin.apache.org Subject: Re: My only problem with URIBL_BLACK RE: My only problem with URIBL_BLACKHere's one that just got captured. The mailing was from Monster.com and the customer is livid :-( X-Spam-Report: * 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts * 1.1 URIBL_SBL Contains an URL listed in the SBL blocklist * [URIs: uhmcargo_MUNGED.net] * 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: uhmcargo_MUNGED.net] * 3.4 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist * [URIs: uhmcargo_MUNGED.net] I had to _MUNGED the domain because the mailing hit 13.5 and bounced The threshold is 5.5 Here is from my original stats post: 1URIBL_BLACK 1633977.09 29.11 78.050.50 5URIBL_JP_SURBL 1182515.13 21.07 56.480.09 What are your thoughts guys? Lower the score for URI_BLACK and JP? Its not an FP. http://groups.google.com/group/misc.writing.screenplays.moderated/browse_frm/thread/e7fca5612bbf5aa3/fc75be5ae3052cbb?lnk=stq=uhmcargo.netrnum=1hl=en#fc75be5ae3052cbb http://groups.google.com/group/misc.writing.screenplays.moderated/browse_frm/thread/e7fca5612bbf5aa3/fc75be5ae3052cbb?lnk=stq=uhmcargo.netrnum=1hl=en#fc75be5ae3052cbb I do tend to agree, this site appears to be a scam. , feel free to pass all of this on to your user. I find the domain's registration info rather interesting: - Registrant / Admin Contact : ORGANISATION IBC int Laer (IIL2-BMN-ORG) RR #3 Box 1122 17059 Mifflintown UNITED STATES Contact Jo FOLTZ phone : +56 7432674623 fax: e-mail : [EMAIL PROTECTED] snip Created on 05/06/2006 01:08:40 Hmm.. they're from the United States, yet their phone number is in Chile (dialing code +56)??? They left out the state, and put things in the wrong order, but 17059 is the zip code for Mifflintown, PA. Fixing the address: IBC int Laer RR #3 Box 1122 Mifflintown, PA 17059 UNITED STATES Also, the company name contains int laer, which appears to be Belgian language. A web search for this phrase turns up 2 pages in a language I don't understand hosted out of .be. So we have a company registered with a Rural-Route address in Pennsylvania, with a Chilean phone number, a Belgian name, and a yahoo email address... And the record was created 3 days ago.. Hmmm... Let's look at their IPs they are hosting their domain from: --- $ host uhmcargo*MUNGED*.com uhmcargo*MUNGED*.com has address 82.155.56.150 uhmcargo*MUNGED*.com has address 83.99.128.137 uhmcargo*MUNGED*.com has address 83.213.63.213 $ host 82.155.56.150 150.56.155.82.in-addr.arpa domain name pointer bl6-56-150.dsl.telepac.pt. $ host 83.99.128.137 137.128.99.83.in-addr.arpa domain name pointer balticom-128-137.balticom.lv. $ host 83.213.63.213 213.63.213.83.in-addr.arpa domain name pointer eu83-213-63-213.clientes.euskaltel.es Hmm, so they are hosting their website at a lot of different places. A DSL node in Portugal, Another site in Latvia, and yet one more in Spain? So this is a company located in Rural PA, with a phone number in Chile, a yahoo email address, a Belgian name, and web hosting spread across Portugal, Spain and Latvia... Looks like your irate customer was saved from receiving a blatant scam. I wonder what kind of start up fees you need to pay to accept this job
Re: My only problem with URIBL_BLACK
Thanks! I need to investigate these further before writing them off as a FP. - Original Message - From: Matt Kettler [EMAIL PROTECTED] To: Chris Santerre [EMAIL PROTECTED] Cc: '' [EMAIL PROTECTED]; users@spamassassin.apache.org Sent: Tuesday, May 09, 2006 1:51 PM Subject: Re: My only problem with URIBL_BLACK | Chris Santerre wrote: | | | -Original Message- | From: [mailto:[EMAIL PROTECTED] | Sent: Tuesday, May 09, 2006 3:12 PM | To: Chris Santerre; 'Matt Kettler' | Cc: users@spamassassin.apache.org | Subject: Re: My only problem with URIBL_BLACK | | | RE: My only problem with URIBL_BLACKHere's one that just got | captured. The mailing was from | Monster.com and the customer is livid :-( | | X-Spam-Report: | * 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts | * 1.1 URIBL_SBL Contains an URL listed in the SBL blocklist | * [URIs: uhmcargo_MUNGED.net] | * 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist | * [URIs: uhmcargo_MUNGED.net] | * 3.4 URIBL_JP_SURBL Contains an URL listed in the JP SURBL | blocklist | * [URIs: uhmcargo_MUNGED.net] | | I had to _MUNGED the domain because the mailing hit 13.5 and bounced | | The threshold is 5.5 | | | Here is from my original stats post: | 1URIBL_BLACK 1633977.09 29.11 | 78.050.50 | 5URIBL_JP_SURBL 1182515.13 21.07 | 56.480.09 | | What are your thoughts guys? Lower the score for URI_BLACK and JP? | | Its not an FP. | | http://groups.google.com/group/misc.writing.screenplays.moderated/browse_frm/thread/e7fca5612bbf5aa3/fc75be5ae3052cbb?lnk=stq=uhmcargo.netrnum=1hl=en#fc75be5ae3052cbb | http://groups.google.com/group/misc.writing.screenplays.moderated/browse_frm/thread/e7fca5612bbf5aa 3/fc75be5ae3052cbb?lnk=stq=uhmcargo.netrnum=1hl=en#fc75be5ae3052cbb | | | I do tend to agree, this site appears to be a scam. | | , feel free to pass all of this on to your user. | | | I find the domain's registration info rather interesting: | - | Registrant / Admin Contact : | ORGANISATION | IBC int Laer (IIL2-BMN-ORG) | | RR #3 Box 1122 | | 17059 Mifflintown | UNITED STATES | |Contact | Jo FOLTZ | phone : +56 7432674623 | fax: | e-mail : [EMAIL PROTECTED] | | snip | | Created on 05/06/2006 01:08:40 | | | Hmm.. they're from the United States, yet their phone number is in Chile | (dialing code +56)??? | | They left out the state, and put things in the wrong order, but 17059 is the zip | code for Mifflintown, PA. | | Fixing the address: | IBC int Laer | RR #3 Box 1122 | Mifflintown, PA 17059 | UNITED STATES | | | Also, the company name contains int laer, which appears to be Belgian | language. A web search for this phrase turns up 2 pages in a language I don't | understand hosted out of .be. | | So we have a company registered with a Rural-Route address in Pennsylvania, with | a Chilean phone number, a Belgian name, and a yahoo email address... And the | record was created 3 days ago.. Hmmm... | | | Let's look at their IPs they are hosting their domain from: | --- | $ host uhmcargo*MUNGED*.com | uhmcargo*MUNGED*.com has address 82.155.56.150 | uhmcargo*MUNGED*.com has address 83.99.128.137 | uhmcargo*MUNGED*.com has address 83.213.63.213 | | $ host 82.155.56.150 | 150.56.155.82.in-addr.arpa domain name pointer bl6-56-150.dsl.telepac.pt. | $ host 83.99.128.137 | 137.128.99.83.in-addr.arpa domain name pointer balticom-128-137.balticom.lv. | $ host 83.213.63.213 | 213.63.213.83.in-addr.arpa domain name pointer eu83-213-63-213.clientes.euskaltel.es | | | | Hmm, so they are hosting their website at a lot of different places. A DSL node | in Portugal, Another site in Latvia, and yet one more in Spain? | | So this is a company located in Rural PA, with a phone number in Chile, a yahoo | email address, a Belgian name, and web hosting spread across Portugal, Spain and | Latvia... | | Looks like your irate customer was saved from receiving a blatant scam. | | I wonder what kind of start up fees you need to pay to accept this job | | | |
RE: My only problem with URIBL_BLACK
ERRR... SA is rejecting this. this is getting better... notice the whois registration address 20222 shadowood parkway matches those found here.. http://www.joewein.net/fraud/fraud-job-2006-04.htm (thanks joe) anyone looking for a job from these places is in for a suprise.. see, now you can go to your client and tell them you saved them money and maybe their identity! ;) looks like its going through another change right now. # host -tNS uhmcargo_MUNGED.net Host uhmcargo_MUNGED.net not found: 3(NXDOMAIN) whois now lists the following ns. ns1.narrowtok.net ns2.narrowtok.net # host -tNS uhmcargo_MUNGED.net ns1.narrowtok.net Using domain server: Name: ns1.narrowtok.net Address: 67.167.254.42#53 Aliases: uhmcargo_MUNGED.net name server ns1.narrowtok.net. uhmcargo_MUNGED.net name server ns2.narrowtok.net. # host -tA uhmcargo_MUNGED.net ns1.narrowtok.net Using domain server: Name: ns1.narrowtok.net Address: 67.167.254.42#53 Aliases: uhmcargo_MUNGED.net has address 85.53.1.76 uhmcargo_MUNGED.net has address 213.37.6.147 uhmcargo_MUNGED.net has address 172.201.36.111 uhmcargo_MUNGED.net has address 24.205.215.159 -Original Message- From: [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 09, 2006 14:42 To: Dallas L. Engelken; users@spamassassin.apache.org Subject: Re: My only problem with URIBL_BLACK Chris and Dallas, Thank you for pointing this out. I will convey this back to the customer. - Original Message - From: Dallas L. Engelken [EMAIL PROTECTED] To: users@spamassassin.apache.org Sent: Tuesday, May 09, 2006 1:20 PM Subject: RE: My only problem with URIBL_BLACK | -Original Message- | From: [mailto:[EMAIL PROTECTED] | Sent: Tuesday, May 09, 2006 14:12 | To: Chris Santerre; 'Matt Kettler' | Cc: users@spamassassin.apache.org | Subject: Re: My only problem with URIBL_BLACK | | RE: My only problem with URIBL_BLACKHere's one that just got | captured. The mailing was from Monster.com and the customer | is livid :-( | | X-Spam-Report: | * 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts | * 1.1 URIBL_SBL Contains an URL listed in the SBL blocklist | * [URIs: uhmcargo_MUNGED.net] | * 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist | * [URIs: uhmcargo_MUNGED.net] | * 3.4 URIBL_JP_SURBL Contains an URL listed in the JP SURBL | blocklist | * [URIs: uhmcargo_MUNGED.net] | | I had to _MUNGED the domain because the mailing hit 13.5 and bounced | | The threshold is 5.5 | | | Here is from my original stats post: | 1URIBL_BLACK 1633977.09 29.11 | 78.050.50 | 5URIBL_JP_SURBL 1182515.13 21.07 | 56.480.09 | | What are your thoughts guys? Lower the score for URI_BLACK and JP? | | | seriously? the domains is 3 days old and is unreachable, and uses | outfitter.net NS's which appear to have an identity crisis. | | April 25th, | ns1.outfiter.net 206.173.156.105 | ns2.outfiter.net 24.98.13.40 | | April 27th, | ns1.outfiter.net 24.182.165.233 | ns2.outfiter.net 67.64.112.94 | | May 4th, | ns1.outfiter.net 24.247.114.91 | ns2.outfiter.net 68.36.53.205 | | May 8th, | ns1.outfiter.net 24.168.96.193 | ns2.outfiter.net 24.247.114.91 | | Right Now, | ns1.outfitter.net 66.199.187.181 | ns2.outfitter.net 66.199.187.181 | | | | | | | | dallas | | |
Re: Here's another to look at
wrote: X-Spam-Report: * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record * 1.7 EXCUSE_6 BODY: Claims you can be removed from the list * 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: goldenpalace_MUNGE.com] * 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist * [URIs: goldenpalace_MUNGE.com] X-Spam-Status: Yes, score=6.3 required=5.5 tests=EXCUSE_6=1.746, SPF_HELO_PASS=-0.001,URIBL_BLACK=4,URIBL_WS_SURBL=1.533 autolearn=disabled version=3.1.0 Subject:[ReveNews] - 5 New Entries This was a mailing list a paying customer signed up for. That puts you in a difficult place.. they asked for it, but these guys are known spamvertizers. They also engage other creative marketing tactics. They sponsored the guy who streaked at the superbowl in 2004, who painted their URL on his chest before running naked onto the field: *WARNING* The following URL has a full-length photo with a clear shot of the streaker and the URL legible on him: http://www.gamblingpress.com/archive/2004/02/0111-super-bowl-streaker.htm
RE: My only problem with URIBL_BLACK
resend again because SA is bouncing them.. -Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 09, 2006 14:51 To: Chris Santerre Cc: ''; users@spamassassin.apache.org Subject: Re: My only problem with URIBL_BLACK Chris Santerre wrote: Let's look at their IPs they are hosting their domain from: --- $ host uhmcargo*MUNGED*.com uhmcargo*MUNGED*.com has address 82.155.56.150 uhmcargo*MUNGED*.com has address 83.99.128.137 uhmcargo*MUNGED*.com has address 83.213.63.213 FWIW, you just did all the work on the .com, and his email states .net ;) appears .com is also bogus, and probably related. webhost also appears to agree. This account has been suspended. Either the domain has been overused, or the reseller ran out of resources. anyways, just thought you should know. d
Re: My only problem with URIBL_BLACK
On Dienstag, 9. Mai 2006 17:37 wrote: Easier said than done when you have a paying customer who wants this specific mailing. He should just filter back those mails from the SPAM folder. You do send all SPAM to him anyway, just marked, don't you? So he has it. mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660/4156531 .network.your.ideas. // PGP Key: lynx -source http://zmi.at/zmi3.asc | gpg --import // Fingerprint: 44A3 C1EC B71E C71A B4C2 9AA6 C818 847C 55CB A4EE // Keyserver: www.keyserver.net Key-ID: 0x55CBA4EE pgpnsXKz5Xy9l.pgp Description: PGP signature
RE: Here's another to look at
-Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 09, 2006 15:01 To: Cc: Dallas L. Engelken; users@spamassassin.apache.org Subject: Re: Here's another to look at wrote: X-Spam-Report: * -0.0 SPF_HELO_PASS SPF: HELO matches SPF record * 1.7 EXCUSE_6 BODY: Claims you can be removed from the list * 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist * [URIs: goldenpalace_MUNGE.com] * 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist * [URIs: goldenpalace_MUNGE.com] X-Spam-Status: Yes, score=6.3 required=5.5 tests=EXCUSE_6=1.746, SPF_HELO_PASS=-0.001,URIBL_BLACK=4,URIBL_WS_SURBL=1.533 autolearn=disabled version=3.1.0 Subject:[ReveNews] - 5 New Entries This was a mailing list a paying customer signed up for. That puts you in a difficult place.. they asked for it, but these guys are known spamvertizers. and we've had them listed for over 5 months without any delist requests for it. can your customers whitelist their own garbage? dallas
Re: Here's another to look at
| and we've had them listed for over 5 months without any delist requests | for it. can your customers whitelist their own garbage? | | dallas Dallas, You bring up a good point. I have a method where users can blacklist and block certain subjects. I just need to add a whitelising option and I wouldn't have to micro manage these very few cases. Thanks again,
limit child process
Hi all, I'm trying to figure out where/how to limit the number of SA's child processes - The Perl has been killing swap space, I *believe* this would remedy my situation. Is this the appropriate list, or should I refer to FreeBSD list? tia Jean-Paul Natola Network Administrator Information Technology Family Care International 588 Broadway Suite 503 New York, NY 10012 Phone:212-941-5300 xt 36 Fax: 212-941-5563 Mailto: [EMAIL PROTECTED]
Re: limit child process
Jean-Paul Natola wrote: Hi all, I'm trying to figure out where/how to limit the number of SA's child processes - The Perl has been killing swap space, I *believe* this would remedy my situation. Is this the appropriate list, or should I refer to FreeBSD list? This is the appropriate list. How, exactly, are you calling SA? Normally folks use spamc/spamd. In which case, spamd by default limits it's own instances. Spamcs are light-weight, being simple C programs. If you're just calling spamassassin from a procmail script, set things up so spamd gets loaded at boot time and start calling spamc from your procmail instead.
Re: My only problem with URIBL_BLACK
Dallas L. Engelken wrote: resend again because SA is bouncing them.. -Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 09, 2006 14:51 To: Chris Santerre Cc: ''; users@spamassassin.apache.org Subject: Re: My only problem with URIBL_BLACK Chris Santerre wrote: Let's look at their IPs they are hosting their domain from: --- $ host uhmcargo*MUNGED*.com uhmcargo*MUNGED*.com has address 82.155.56.150 uhmcargo*MUNGED*.com has address 83.99.128.137 uhmcargo*MUNGED*.com has address 83.213.63.213 FWIW, you just did all the work on the .com, and his email states .net ;) appears .com is also bogus, and probably related. webhost also appears to agree. You're right.. Using the .net: Administrator: name: Amber Furlong mail: [EMAIL PROTECTED] tel: +1.6785283829 org: Private person address: 20222 shadowood parkway city: Atlanta ,province: GA ,country: UNITED STATES postcode: 30339 Phone number, and address are consistent (678 is in Georgia) However, if you do a search on 20222 shadowood parkway Atlanta you'll find that this address is a known-offender of money-transfer scams: http://www.joewein.net/fraud/fraud-job-2006-04.htm
RE: limit child process
-Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 09, 2006 4:23 PM To: Jean-Paul Natola Cc: users@spamassassin.apache.org Subject: Re: limit child process Jean-Paul Natola wrote: Hi all, I'm trying to figure out where/how to limit the number of SA's child processes - The Perl has been killing swap space, I *believe* this would remedy my situation. Is this the appropriate list, or should I refer to FreeBSD list? This is the appropriate list. How, exactly, are you calling SA? Normally folks use spamc/spamd. In which case, spamd by default limits it's own instances. Spamcs are light-weight, being simple C programs. If you're just calling spamassassin from a procmail script, set things up so spamd gets loaded at boot time and start calling spamc from your procmail instead. Spamd calls it, But I have seen my monitor , on more than one occasion, with this error, swap_pager_getswapspace: failed and the worst part is I don't realize it until I hit the KVM switch , and actually get on the console - so can I customize spamd to a lower limit? I noticed after I stop /restart spamd my swap goes back to normal
Re: limit child process
| Spamd calls it, | | But I have seen my monitor , on more than one occasion, with this error, | | swap_pager_getswapspace: failed | | and the worst part is I don't realize it until I hit the KVM switch , and | actually get on the console - | | so can I customize spamd to a lower limit? | | I noticed after I stop /restart spamd my swap goes back to normal spamd -m
RE: My only problem with URIBL_BLACK
-Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 09, 2006 15:29 To: Dallas L. Engelken Cc: users@spamassassin.apache.org Subject: Re: My only problem with URIBL_BLACK Dallas L. Engelken wrote: resend again because SA is bouncing them.. -Original Message- From: Matt Kettler [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 09, 2006 14:51 To: Chris Santerre Cc: ''; users@spamassassin.apache.org Subject: Re: My only problem with URIBL_BLACK Chris Santerre wrote: Let's look at their IPs they are hosting their domain from: --- $ host uhmcargo*MUNGED*.com uhmcargo*MUNGED*.com has address 82.155.56.150 uhmcargo*MUNGED*.com has address 83.99.128.137 uhmcargo*MUNGED*.com has address 83.213.63.213 FWIW, you just did all the work on the .com, and his email states .net ;) appears .com is also bogus, and probably related. webhost also appears to agree. You're right.. Using the .net: Administrator: name: Amber Furlong mail: [EMAIL PROTECTED] tel: +1.6785283829 org: Private person address: 20222 shadowood parkway city: Atlanta ,province: GA ,country: UNITED STATES postcode: 30339 Phone number, and address are consistent (678 is in Georgia) However, if you do a search on 20222 shadowood parkway Atlanta you'll find that this address is a known-offender of money-transfer scams: http://www.joewein.net/fraud/fraud-job-2006-04.htm i posted that, and reposted it due to list reject, about 30 min ago. did it not come through?
Re: My only problem with URIBL_BLACK
Dallas L. Engelken wrote: http://www.joewein.net/fraud/fraud-job-2006-04.htm i posted that, and reposted it due to list reject, about 30 min ago. did it not come through? It depends upon how you define came through... Posted to the list - [OK] Delivered from list to my server - [OK] Delivered from my server to my mailbox - [OK] Marked as read in my mail client - [OK] Actually entered my long-term memory - [FAILED]
RE: Latest sa-stats from last week
Michael Monnerie wrote: On Dienstag, 9. Mai 2006 17:14 Bowie Bailey wrote: I've considered that, but it won't work in our setup. This box scans our internal email as well as all of our customer's email. Since we are in an entirely different line of business from our customers, what we consider to be ham and spam will be quite different from theirs. If I could train it on both sets, it might work, but I don't have access to any of their emails for training. I believe that's a general mistake. I've got a server with many diff. domains, some people working with china, others with brazil, many different languages, and so on. With site wide bayes which is only trained _by me_, I've not had a single complaint in years where bayes was incorrect. Hmm... If you are training Bayes, and all of your ham is in English, then what does Bayes do with the Chinese ham your customers get? Real SPAM is really SPAM. For everybody. Those penis enlargements, viagra and drug ads, and false job offers are really ever SPAM. And if somebody wants to get those info about penis enlargement, he should just look in his SPAM folder, it's not getting deleted anyway. True, spam is spam. It's the vast differences in ham that I am more worried about. Our customers are salesmen for the most part, so they are constantly sending and receiving marketing type emails. For us, marketing stuff is almost always considered spam. I think this would cause a problem with false positives for our customers if I train Bayes based on our idea of ham and spam. If you are sane and try to not make mistakes with bayes, it works phantastic. I've got about 6.000 spam ham, and everyday I feed the new SPAM to bayes for learning. Try it: keep some real SPAM, use site-wide bayes without auto-learn. Feed at least 200 spam ham to bayes, and train it every day. You will be happy. I might give it a try. But, then again, based on some testing I just did, I might leave it the way it is. I'll include that info in a separate thread. -- Bowie
False positives in mails from dynamic IP addresses
Hello! I'm connecting to internet by ISP which gives me different IP every time, but I'm sending mails by relay on fixed ip. As I see, spamassassin is checking my dynamic IP address (RCVD_IN_DSBL, RCVD_IN_NJABL_DUL) and marks my emails as spam. Can I configure spamassassin, so it will check ip of relay instead of my private dynamic IP ? -- Jarek 111 [EMAIL PROTECTED]
Strange Bayes results
I was checking the relative usefulness of the per-user Bayes databases for my users and came up with the following confusing information. When I look at the overall stats, bayes does pretty good: RANKRULE NAME COUNT %OFRULES %OFMAIL %OFSPAM %OFHAM 6BAYES_9926754 4.19 44.49 67.003.06 But when I do it for only our domain (which is where all the manual training happens), it hits less ham, but less spam as well: RANKRULE NAME COUNT %OFRULES %OFMAIL %OFSPAM %OFHAM 8BAYES_99 4649 3.29 33.41 54.640.20 Just my personal email address (which is trained aggressively) gets very few ham hits (partly because I lowered my threshold to 4.0), but less spam than overall: RANKRULE NAME COUNT %OFRULES %OFMAIL %OFSPAM %OFHAM 5BAYES_99 1643 3.08 27.05 65.720.08 And then when I modify sa-stats to exclude our domain, I find that our customers (who are trained exclusively with autolearn) seem to do better than us: RANKRULE NAME COUNT %OFRULES %OFMAIL %OFSPAM %OFHAM 6BAYES_9922105 4.44 47.83 70.354.11 Based on these results, it almost seems like the more training Bayes gets, the worse it does! Are these anomolies just an artifact of sa-stats relying on SA to judge ham and spam properly? Can these numbers be trusted at all if my users don't reliably report false negatives and positives? -- Bowie
Re: Here's another to look at
Matt Kettler wrote: They also engage other creative marketing tactics. They sponsored the guy who streaked at the superbowl in 2004, who painted their URL on his chest before running naked onto the field: Didn't they also sponsor one of the X-Prize contestants? I seem to recall that they gave one of the teams a bunch of money in exchange for renaming the ship the Golden Palace something-or-other Just as well that Scaled Composites won. Spaceship One isn't exactly an exciting name, but at least it wasn't an online gambling company's name going down in history. -- Kelson Vibber SpeedGate Communications www.speed.net
RE: Strange Bayes results
Bowie Bailey wrote: I was checking the relative usefulness of the per-user Bayes databases for my users and came up with the following confusing information. When I look at the overall stats, bayes does pretty good: RANKRULE NAME COUNT %OFRULES %OFMAIL %OFSPAM %OFHAM 6BAYES_9926754 4.19 44.49 67.003.06 But when I do it for only our domain (which is where all the manual training happens), it hits less ham, but less spam as well: RANKRULE NAME COUNT %OFRULES %OFMAIL %OFSPAM %OFHAM 8BAYES_99 4649 3.29 33.41 54.640.20 Just my personal email address (which is trained aggressively) gets very few ham hits (partly because I lowered my threshold to 4.0), but less spam than overall: RANKRULE NAME COUNT %OFRULES %OFMAIL %OFSPAM %OFHAM 5BAYES_99 1643 3.08 27.05 65.720.08 And then when I modify sa-stats to exclude our domain, I find that our customers (who are trained exclusively with autolearn) seem to do better than us: RANKRULE NAME COUNT %OFRULES %OFMAIL %OFSPAM %OFHAM 6BAYES_9922105 4.44 47.83 70.354.11 Based on these results, it almost seems like the more training Bayes gets, the worse it does! Are these anomolies just an artifact of sa-stats relying on SA to judge ham and spam properly? Can these numbers be trusted at all if my users don't reliably report false negatives and positives? And as an additional data point, I found this for one of our internal users who has never done any manual training: RANKRULE NAME COUNT %OFRULES %OFMAIL %OFSPAM %OFHAM 1BAYES_99373 6.76 78.20 95.640.00 1BAYES_00 7320.51 15.300.00 83.91 -- Bowie
Re: False positives in mails from dynamic IP addresses
Jarek 111 wrote: Hello! I'm connecting to internet by ISP which gives me different IP every time, but I'm sending mails by relay on fixed ip. As I see, spamassassin is checking my dynamic IP address (RCVD_IN_DSBL, RCVD_IN_NJABL_DUL) and marks my emails as spam. Can I configure spamassassin, so it will check ip of relay instead of my private dynamic IP ? Configure your trusted_networks setting and this should clear up. http://wiki.apache.org/spamassassin/TrustPath
Re: Latest sa-stats from last week
On Dienstag, 9. Mai 2006 23:01 Bowie Bailey wrote: Hmm... If you are training Bayes, and all of your ham is in English, then what does Bayes do with the Chinese ham your customers get? Nothing. But you won't get a SPAM report from bayes if the e-mail is chinese and you never feed chinese language e-mail. So no FPs. True, spam is spam. It's the vast differences in ham that I am more worried about. Our customers are salesmen for the most part, so they are constantly sending and receiving marketing type emails. For us, marketing stuff is almost always considered spam. I think this would cause a problem with false positives for our customers if I train Bayes based on our idea of ham and spam. The important thing is that you should *never* feed to bayes something that *could* be a legit e-mail. Most people seem to make that error. I do NOT feed SPAM nor HAM that could be a legit mail. Just those nigerian who want to give you some million $ because you are so nice, or those lotteries where you won a lot but before you have to pay, the very good jobs a lot of people seem to offer where you can earn 5000$ for only 3 hours of work and so on. No chance this could be HAM for anybody (with at least some brain, but anyway you have to protect such people from themselves *g*). The same for feeding HAM: Give it only food that *is legit e-mail*, not some which could be. Remember: 10 good SPAM and HAM are better than 200 where 5% are wrong. Another good thing: Since I help with mass-checks, I found that of my 6000 SPAMs, I had about 4 or 5 which I had to delete (but unlearn before), as they were mistakes. That's the advantage you get back when running mass-checks. mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660/4156531 .network.your.ideas. // PGP Key: lynx -source http://zmi.at/zmi3.asc | gpg --import // Fingerprint: 44A3 C1EC B71E C71A B4C2 9AA6 C818 847C 55CB A4EE // Keyserver: www.keyserver.net Key-ID: 0x55CBA4EE pgp7wTVFG6Tpn.pgp Description: PGP signature
Remove Me
How do I take myself off this mailing list? -Javin
Re: Remove Me
Aaron Boyles wrote: How do I take myself off this mailing list? -Javin list-help: mailto:[EMAIL PROTECTED] list-unsubscribe: mailto:[EMAIL PROTECTED] List-Post: mailto:users@spamassassin.apache.org -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239
Re: Remove Me
Aaron Boyles wrote: How do I take myself off this mailing list? -Javin Check the headers of any message on this list. They all have a list-unsubscribe header. This is the RFC 2369 standardized way for mailing lists to provide this information, so be sure to look for it elsewhere too. (I know all of sourceforge's lists do this too)
SQL prefs, what config allowed?
Hi all, Is there a canonical listing somewhere of which user prefs are allowed when using the SQL store for user preferences? Can I just assume everything here: http://spamassassin.apache.org/full/3.0.x/dist/doc/Mail_SpamAssassin_Conf.html Is possible via the SQL prefs? Thanks, Charles
RE: My only problem with URIBL_BLACK
... What are your thoughts guys? Lower the score for URI_BLACK and JP? seriously? the domains is 3 days old and is unreachable, and uses outfitter.net NS's which appear to have an identity crisis. April 25th, ns1.outfiter.net 206.173.156.105 ns2.outfiter.net 24.98.13.40 April 27th, ns1.outfiter.net 24.182.165.233 ns2.outfiter.net 67.64.112.94 May 4th, ns1.outfiter.net 24.247.114.91 ns2.outfiter.net 68.36.53.205 May 8th, ns1.outfiter.net 24.168.96.193 ns2.outfiter.net 24.247.114.91 Right Now, ns1.outfitter.net 66.199.187.181 ns2.outfitter.net 66.199.187.181 ... dallas Are you just giving a sample? How about the some more of the IP jumps in the past nine days: ns1.outfiter.net 2006-May-04 21:05:5324.168.96.193 2006-May-01 21:05:1368.36.53.205 2006-May-01 15:05:5524.24.83.45 2006-Apr-30 22:04:8024.182.165.233 2006-Apr-30 14:04:419 71.241.106.238 Hosted on cable modem and DSL zombies, registered using the reseller Regtime.net/webnames.ru at OnlineNIC, using a real address but the name of an unregistered/unlicensed corporation in Missouri with a telephone number in Montana. (No Barnwell Inc. exists, but a BARNWELL HAYS, INC. is an inactive business, shutdown in 2000). Or the rest of a current snapshot (all zombies) % dig outfiter.net @68.36.53.205 ... ;; ANSWER SECTION: outfiter.net. 300 IN A 65.75.90.172 outfiter.net. 300 IN A 194.208.180.242 outfiter.net. 300 IN A 24.182.165.233 ;; AUTHORITY SECTION: outfiter.net. 300 IN NS ns1.outfiter.net. outfiter.net. 300 IN NS ns2.outfiter.net. ;; ADDITIONAL SECTION: ns1.outfiter.net. 300 IN A 68.36.53.205 ns2.outfiter.net. 300 IN A 68.111.102.17 ... Plus the original domain, uhmcargo-M.net, has already been suspended (though if you force it to be resolved, you can see it is also up and hosted on zombies). % whois uhmcargo-M.net | fgrep Status Status: REGISTRAR-HOLD EPP Status: clientHold EPP Status: clientDeleteProhibited EPP Status: clientUpdateProhibited EPP Status: clientTransferProhibited % dig uhmcargo-M.net @67.167.254.42 ... ;; ANSWER SECTION: uhmcargo-M.net. 300 IN A 212.183.251.114 uhmcargo-M.net. 300 IN A 66.31.52.46 uhmcargo-M.net. 300 IN A 172.201.36.111 uhmcargo-M.net. 300 IN A 24.205.215.159 ... Tell the recipient that this message either did not come from monster.com, or (quite unlikely) someone has turned black-hat. Paul Shupak [EMAIL PROTECTED]
Re: Nasty bug? in 3.1.1 headers inserting?
On 5/9/2006 2:16 PM, Theo Van Dinter wrote: There's some difference of opinion around this question, but my general opinion is that there should be an update to spamass-milter which properly handles the newlines either way. I'm not sure whether or not that's happened yet. As discussed in this SA bug: http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4844 this spamass-milter bug has a (confirmed to work) patch that fixes the problem with spamass-milter: http://savannah.nongnu.org/bugs/?func=detailitemitem_id=16164 I do not know if there is an updated spamass-milter release. I'm assuming there isn't since their bug is still open. Daryl
bayes database problem with 3.1.1
Running on freebsd 6.0 Having problems getting 3.1.1 to work with mysql based bayes. Please see the sa-learn -D --sync result mail-av1# sa-learn -D --sync [25988] dbg: logger: adding facilities: all [25988] dbg: logger: logging level is DBG [25988] dbg: generic: SpamAssassin version 3.1.1 [25988] dbg: config: score set 0 chosen. [25988] dbg: util: running in taint mode? yes [25988] dbg: util: taint mode: deleting unsafe environment variables, resetting PATH [25988] dbg: util: PATH included '/sbin', keeping [25988] dbg: util: PATH included '/bin', keeping [25988] dbg: util: PATH included '/usr/sbin', keeping [25988] dbg: util: PATH included '/usr/bin', keeping [25988] dbg: util: PATH included '/usr/games', keeping [25988] dbg: util: PATH included '/usr/local/sbin', keeping [25988] dbg: util: PATH included '/usr/local/bin', keeping [25988] dbg: util: PATH included '/usr/X11R6/bin', which doesn't exist, dropping [25988] dbg: util: PATH included '/root/bin', which doesn't exist, dropping [25988] dbg: util: final PATH set to: /sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin [25988] dbg: dns: is Net::DNS::Resolver available? yes [25988] dbg: dns: Net::DNS version: 0.55 [25988] dbg: config: using /usr/local/etc/mail/spamassassin for site rules pre files [25988] dbg: config: read file /usr/local/etc/mail/spamassassin/init.pre [25988] dbg: config: read file /usr/local/etc/mail/spamassassin/v310.pre [25988] dbg: config: using /usr/local/share/spamassassin for sys rules pre files [25988] dbg: config: using /usr/local/share/spamassassin for default rules dir [25988] dbg: config: read file /usr/local/share/spamassassin/10_misc.cf [25988] dbg: config: read file /usr/local/share/spamassassin/20_advance_fee.cf [25988] dbg: config: read file /usr/local/share/spamassassin/20_anti_ratware.cf [25988] dbg: config: read file /usr/local/share/spamassassin/20_body_tests.cf [25988] dbg: config: read file /usr/local/share/spamassassin/20_compensate.cf [25988] dbg: config: read file /usr/local/share/spamassassin/20_dnsbl_tests.cf [25988] dbg: config: read file /usr/local/share/spamassassin/20_drugs.cf [25988] dbg: config: read file /usr/local/share/spamassassin/20_fake_helo_tests.cf [25988] dbg: config: read file /usr/local/share/spamassassin/20_head_tests.cf [25988] dbg: config: read file /usr/local/share/spamassassin/20_html_tests.cf [25988] dbg: config: read file /usr/local/share/spamassassin/20_meta_tests.cf [25988] dbg: config: read file /usr/local/share/spamassassin/20_net_tests.cf [25988] dbg: config: read file /usr/local/share/spamassassin/20_phrases.cf [25988] dbg: config: read file /usr/local/share/spamassassin/20_porn.cf [25988] dbg: config: read file /usr/local/share/spamassassin/20_ratware.cf [25988] dbg: config: read file /usr/local/share/spamassassin/20_uri_tests.cf [25988] dbg: config: read file /usr/local/share/spamassassin/23_bayes.cf [25988] dbg: config: read file /usr/local/share/spamassassin/25_accessdb.cf [25988] dbg: config: read file /usr/local/share/spamassassin/25_antivirus.cf [25988] dbg: config: read file /usr/local/share/spamassassin/25_body_tests_es.cf [25988] dbg: config: read file /usr/local/share/spamassassin/25_body_tests_pl.cf [25988] dbg: config: read file /usr/local/share/spamassassin/25_dcc.cf [25988] dbg: config: read file /usr/local/share/spamassassin/25_domainkeys.cf [25988] dbg: config: read file /usr/local/share/spamassassin/25_hashcash.cf [25988] dbg: config: read file /usr/local/share/spamassassin/25_pyzor.cf [25988] dbg: config: read file /usr/local/share/spamassassin/25_razor2.cf [25988] dbg: config: read file /usr/local/share/spamassassin/25_replace.cf [25988] dbg: config: read file /usr/local/share/spamassassin/25_spf.cf [25988] dbg: config: read file /usr/local/share/spamassassin/25_textcat.cf [25988] dbg: config: read file /usr/local/share/spamassassin/25_uribl.cf [25988] dbg: config: read file /usr/local/share/spamassassin/30_text_de.cf [25988] dbg: config: read file /usr/local/share/spamassassin/30_text_fr.cf [25988] dbg: config: read file /usr/local/share/spamassassin/30_text_it.cf [25988] dbg: config: read file /usr/local/share/spamassassin/30_text_nl.cf [25988] dbg: config: read file /usr/local/share/spamassassin/30_text_pl.cf [25988] dbg: config: read file /usr/local/share/spamassassin/30_text_pt_br.cf [25988] dbg: config: read file /usr/local/share/spamassassin/50_scores.cf [25988] dbg: config: read file /usr/local/share/spamassassin/60_awl.cf [25988] dbg: config: read file /usr/local/share/spamassassin/60_whitelist.cf [25988] dbg: config: read file /usr/local/share/spamassassin/60_whitelist_spf.cf [25988] dbg: config: read file /usr/local/share/spamassassin/60_whitelist_subject.cf [25988] dbg: config: using /usr/local/etc/mail/spamassassin for site rules dir [25988] dbg: config: read file /usr/local/etc/mail/spamassassin/local.cf [25988] dbg: config: using /root/.spamassassin/user_prefs for user prefs file [25988] dbg: config: read file
RE: My only problem with URIBL_BLACK
-Original Message- From: List Mail User [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 09, 2006 6:36 PM To: Dallas L. Engelken; users@spamassassin.apache.org Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: RE: My only problem with URIBL_BLACK ... What are your thoughts guys? Lower the score for URI_BLACK and JP? seriously? the domains is 3 days old and is unreachable, and uses outfitter.net NS's which appear to have an identity crisis. April 25th, ns1.outfiter.net 206.173.156.105 ns2.outfiter.net 24.98.13.40 April 27th, ns1.outfiter.net 24.182.165.233 ns2.outfiter.net 67.64.112.94 May 4th, ns1.outfiter.net 24.247.114.91 ns2.outfiter.net 68.36.53.205 May 8th, ns1.outfiter.net 24.168.96.193 ns2.outfiter.net 24.247.114.91 Right Now, ns1.outfitter.net 66.199.187.181 ns2.outfitter.net 66.199.187.181 ... dallas Are you just giving a sample? How about the some more of the IP jumps in the past nine days: Just enough to show we have sufficient evidence to autolist without human review :) I see a couple of their bogus sites are still online. I'm sure there are more. euro-rental .net l-f-union .com
Re: Here's another to look at
From: [EMAIL PROTECTED]
X-Spam-Report:
* -0.0 SPF_HELO_PASS SPF: HELO matches SPF record
* 1.7 EXCUSE_6 BODY: Claims you can be removed from the list
* 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
* [URIs: goldenpalace_MUNGE.com]
* 1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
* [URIs: goldenpalace_MUNGE.com]
X-Spam-Status: Yes, score=6.3 required=5.5 tests=EXCUSE_6=1.746,
SPF_HELO_PASS=-0.001,URIBL_BLACK=4,URIBL_WS_SURBL=1.533
autolearn=disabled version=3.1.0
Subject:[ReveNews] - 5 New Entries
This was a mailing list a paying customer signed up for.
Keep in mind that the FP's are real low, I may just keep the scores as is and deal with
these
mailing lists as they pop up.
Per user whitelists appear to be needed to handle this. The name itself
makes me think heavy porn.
Personally I am not a proper political animal so I'd tell the customer
to check their spam folder for this email if they want it. Whois shows
the site is indeed a porn site. If you generally whitelist it then
you open your whole email service to a porn spammer.
{o.o}
Re: Latest sa-stats from last week
From: Bowie Bailey [EMAIL PROTECTED]
Michael Monnerie wrote:
On Dienstag, 9. Mai 2006 16:18 Bowie Bailey wrote:
I've got per-user Bayes and most of my users
don't bother to train it.
Another reason for site-wide bayes, I'd say.
I've considered that, but it won't work in our setup. This box scans
our internal email as well as all of our customer's email. Since we
are in an entirely different line of business from our customers, what
we consider to be ham and spam will be quite different from theirs.
If I could train it on both sets, it might work, but I don't have
access to any of their emails for training.
Also, I really prefer a per-user bayes for our internal email since
there are various accounts that get a specific type of ham and work
very well with Bayes.
Importune on them to feed you as large a collection of ham and spam
as they can, once. Then turn on autolearn, cross your fingers, and
put on your flack jacket.
{O.O}
Re: Latest sa-stats from last week
From: Bowie Bailey [EMAIL PROTECTED]
jdow wrote:
From: Bowie Bailey [EMAIL PROTECTED]
wrote:
TOP SPAM RULES FIRED
RANKRULE NAME COUNT %OFRULES
%OFMAIL %OFSPAM %OFHAM
1 URIBL_BLACK 1633977.09
29.11 78.050.50
Nice.
How does that Queen song go?? We... are... ;)
LOL! Congrats!
I'll second that! I think the network tests are taking over...
TOP SPAM RULES FIRED
RANKRULE NAMECOUNT %OFRULES %OFMAIL %OFSPAM %OFHAM
6 BAYES_99 26754 4.19 44.49 67.00 3.06
Holy spoo! Bayes can do MUCH better than that!
{O.O}
I'm sure it can, but I've got per-user Bayes and most of my users
don't bother to train it.
That brings to mind an interesting question. Could SpamAssassin (ever)
be configured to accept a global Bayes with per user Bayes for er
seasoning? Could such a setup be effective?
{^_^}
Re: My only problem with URIBL_BLACK
From: Chris Santerre [EMAIL PROTECTED]
-Original Message-
From: [mailto:[EMAIL PROTECTED]
RE: My only problem with URIBL_BLACKHere's one that just got
captured. The mailing was from
Monster.com and the customer is livid :-(
X-Spam-Report:
* 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
* 1.1 URIBL_SBL Contains an URL listed in the SBL blocklist
* [URIs: uhmcargo_MUNGED.net]
* 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
* [URIs: uhmcargo_MUNGED.net]
* 3.4 URIBL_JP_SURBL Contains an URL listed in the JP SURBL
blocklist
* [URIs: uhmcargo_MUNGED.net]
I had to _MUNGED the domain because the mailing hit 13.5 and bounced
The threshold is 5.5
Here is from my original stats post:
1URIBL_BLACK 1633977.09 29.11
78.050.50
5URIBL_JP_SURBL 1182515.13 21.07
56.480.09
What are your thoughts guys? Lower the score for URI_BLACK and JP?
Its not an FP.
http://groups.google.com/group/misc.writing.screenplays.moderated/browse_frm
/thread/e7fca5612bbf5aa3/fc75be5ae3052cbb?lnk=stq=uhmcargo.netrnum=1hl=en
#fc75be5ae3052cbb
And the registrant is a single person with, it appears, one single
network address. For the 6th largest shipper that is a pathetic
web presence.
{^_-}
Re: My only problem with URIBL_BLACK
From: Matt Kettler [EMAIL PROTECTED]
Chris Santerre wrote:
-Original Message-
From: [mailto:[EMAIL PROTECTED]
Sent: Tuesday, May 09, 2006 3:12 PM
To: Chris Santerre; 'Matt Kettler'
Cc: users@spamassassin.apache.org
Subject: Re: My only problem with URIBL_BLACK
RE: My only problem with URIBL_BLACKHere's one that just got
captured. The mailing was from
Monster.com and the customer is livid :-(
X-Spam-Report:
* 0.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
* 1.1 URIBL_SBL Contains an URL listed in the SBL blocklist
* [URIs: uhmcargo_MUNGED.net]
* 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist
* [URIs: uhmcargo_MUNGED.net]
* 3.4 URIBL_JP_SURBL Contains an URL listed in the JP SURBL
blocklist
* [URIs: uhmcargo_MUNGED.net]
I had to _MUNGED the domain because the mailing hit 13.5 and bounced
The threshold is 5.5
Here is from my original stats post:
1URIBL_BLACK 1633977.09 29.11
78.050.50
5URIBL_JP_SURBL 1182515.13 21.07
56.480.09
What are your thoughts guys? Lower the score for URI_BLACK and JP?
Its not an FP.
http://groups.google.com/group/misc.writing.screenplays.moderated/browse_frm/thread/e7fca5612bbf5aa3/fc75be5ae3052cbb?lnk=stq=uhmcargo.netrnum=1hl=en#fc75be5ae3052cbb
http://groups.google.com/group/misc.writing.screenplays.moderated/browse_frm/thread/e7fca5612bbf5aa3/fc75be5ae3052cbb?lnk=stq=uhmcargo.netrnum=1hl=en#fc75be5ae3052cbb
I do tend to agree, this site appears to be a scam.
, feel free to pass all of this on to your user.
I find the domain's registration info rather interesting:
-
Registrant / Admin Contact :
ORGANISATION
IBC int Laer (IIL2-BMN-ORG)
RR #3 Box 1122
17059 Mifflintown
UNITED STATES
Contact
Jo FOLTZ
phone : +56 7432674623
fax:
e-mail : [EMAIL PROTECTED]
snip
Created on 05/06/2006 01:08:40
Hmm.. they're from the United States, yet their phone number is in Chile
(dialing code +56)???
They left out the state, and put things in the wrong order, but 17059 is the zip
code for Mifflintown, PA.
Fixing the address:
IBC int Laer
RR #3 Box 1122
Mifflintown, PA 17059
UNITED STATES
Also, the company name contains int laer, which appears to be Belgian
language. A web search for this phrase turns up 2 pages in a language I don't
understand hosted out of .be.
So we have a company registered with a Rural-Route address in Pennsylvania, with
a Chilean phone number, a Belgian name, and a yahoo email address... And the
record was created 3 days ago.. Hmmm...
Let's look at their IPs they are hosting their domain from:
---
$ host uhmcargo*MUNGED*.com
uhmcargo*MUNGED*.com has address 82.155.56.150
uhmcargo*MUNGED*.com has address 83.99.128.137
uhmcargo*MUNGED*.com has address 83.213.63.213
$ host 82.155.56.150
150.56.155.82.in-addr.arpa domain name pointer bl6-56-150.dsl.telepac.pt.
$ host 83.99.128.137
137.128.99.83.in-addr.arpa domain name pointer balticom-128-137.balticom.lv.
$ host 83.213.63.213
213.63.213.83.in-addr.arpa domain name pointer
eu83-213-63-213.clientes.euskaltel.es
Hmm, so they are hosting their website at a lot of different places. A DSL node
in Portugal, Another site in Latvia, and yet one more in Spain?
So this is a company located in Rural PA, with a phone number in Chile, a yahoo
email address, a Belgian name, and web hosting spread across Portugal, Spain and
Latvia...
Looks like your irate customer was saved from receiving a blatant scam.
I wonder what kind of start up fees you need to pay to accept this job
Fascinating - even the whois registration seems to have MPD, er Multiple
Personality Disorder. This is what I got in part:
===8---
Registrant:
Amber Furlong [EMAIL PROTECTED] +1.6785283829
Private person
20222 shadowood parkway
Atlanta,GA,UNITED STATES 30339
Domain Name:uhmcargo.net-M
Record last updated at 2006-05-05 18:11:50
Record created on 2006/5/5
Record expired on 2007/5/5
Domain servers in listed order:
ns1.narrowtok.net-M ns2.narrowtok.net-M
Administrator:
20222 shadowood parkway
Atlanta
GA,
UNITED STATES
30339
===8---
It might have been hijacked recently. But then, for a brandy spanky new
registration that seems unlikely
{^_^}
Re: 20_bodytests
Dan-80 wrote:
2) What do 'tflags' do?:
describe MIME_CHARSET_FARAWAY MIME character set indicates foreign
language
tflags MIME_CHARSET_FARAWAY userconf
tflags SYMBOLIC_TEST_NAME [ {net|nice|learn|userconf|noautolearn} ]
Used to set flags on a test. These flags are used in the score-determination
back end system for details of the test's behaviour. Please see
bayes_auto_learn and use_auto_whitelist for more information about tflag
interaction with those systems. The following flags can be set:
net
The test is a network test, and will not be run in the mass checking system
or if -L is used, therefore its score should not be modified.
nice
The test is intended to compensate for common false positives, and should be
assigned a negative score.
userconf
The test requires user configuration before it can be used (like language-
specific tests).
learn
The test requires training before it can be used.
noautolearn
The test will explicitly be ignored when calculating the score for learning
systems.
Dan-80 wrote:
3) What are 'test' lines?:
test SYMBOLIC_TEST_NAME (ok|fail) Some string to test against
Define a regression testing string. You can have more than one regression
test string per symbolic test name. Simply specify a string that you wish
the test to match.
These tests are only run as part of the test suite - they should not affect
the general running of SpamAssassin.
--Sandy
--
View this message in context:
http://www.nabble.com/20_bodytests-t1553240.html#a4312791
Sent from the SpamAssassin - Users forum at Nabble.com.
RE: SPAM: Tangled web of fun....
Title: SPAM: Tangled web of fun LOL, thats pretty sad. Stupid cons have ruined the internet flea market. From: Chris Santerre [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 09, 2006 1:07 PMTo: Spaml (E-mail); Spamassassin-Talk (E-mail)Subject: SPAM: Tangled web of fun Alright, so I'm eating lunch and catching up on my sports car forum, where a buddy posts about a possible scam from selling something on craigslist. He gets an email (I don't have the headers.) supposedly from the USPS: I'm sniping a lot of useless info out.bear with me, this is interesting... " From: United States Postal Service [mailto:[EMAIL PROTECTED]] Dear x, Congratulations! The order placed by the buyer of your item: Mrs. to have a United States Postal Service branded Money OrderSM $xxx:00 USD sent to you as payment for the item: xx has been successfully processed and has consequently been APPROVED. The financial details of the transaction are stated below: *snip* === ***ATTENTION*** The order has been APPROVED, you CAN NOW ship the merchandise to the buyer's shipping address. You are expected to make the shipment within 48 hours of recieving this Payment Confirmation Notification and get to our Costumer/Technical Dept. with the tracking number for Shipment Verification via: [EMAIL PROTECTED] The Money OrderSM will NOT be dispatched or get to your resident until the shipment has been verified. This measure is taken in order to protect both seller and buyer interests and to reduce the occurrence of fraudulent activities. blah blah blah. ship here: 238 S 8th St. Blair, NE, 68008 " Ok, I figure I'll help him, its lunch and I'm boredObviously USPS isn't in the escrow business. accountant.com Gerald Gorman 33 Knightsbridge Rd. Piscataway, NJ 08854 US Phone: 9086960929 Meh...not much to go onGorman is a squatter??? Blair Address comes back as... No Frills Supermarket 238 S 8th St Blair, NE 68008-2410 Phone: (402) 426-4757 1999 image: http://terraserver.microsoft.com/tile.ashx?t=1s=10x=3699y=23016z=14 hm...okinteresting... nofrillssupermarket.com The IP host is very suspect, but not on any RBL: 64.74.134.64 Registrant: Navigation Catalyst Systems, Inc 2101 Rosecrans Ave., #2000 El Segundo, California 90245 United States which redirects to prescriptionsmedicines.net Same Whois info 209.132.212.132 Which points to a ROKSO spammer!!! http://www.spamhaus.org/sbl/sbl.lasso?query=SBL27304 So has a ROKSO now gotten so desperate they now try to fraud people out of junk on craigslist? :) Anyone near Blair want to grab some photos of the place for fun? Chris Santerre SysAdmin and SARE/URIBL ninja http://www.uribl.com http://www.rulesemporium.com
[EMAIL PROTECTED]
Is bouncing messages from the list to the original senders with protocol
error complaints. It might be nice to unsubscribe him until he gets it
fixed.
{^_^}
