Detecting active config as a user
Hello All- My primary mail acct is hosted on a legacy Soalis 5.8 sun box, with SA 2.6 installed. I have been getting a ton of mail - 8k msgs per day, to my desktop client. It killed a hard drive! So I am attempting to look into the config myself. No one else has time to do this for this acount. I read a lot of docs. I found the .spamassassin dir. In user_prefs, I added a long list of whitelist_from, 1 blacklist_from, set whitelist value to 1, and lowered score needed to 4. I found the auto white list files with a lock dating back to may. That didn't look right to me, so I rm'd the lock file, and cleared auto-whitelist.dir and auto-whitelist.pag. I ran sa-learn with a multi-thousand spam mbox. That seemed to execute fine, and the bayes_toks/bayes_sen were updated. But I am suspicious that no emails landing on my client have the SA X-Headers. When looking at the list of processes, I see a bunch of sendmail/imapd, and occasionally some spamc's. I have no admin privs on this machine. How can I verify that SA is working on each mail I am getting? Is there some other step I should take? btw- my /var/mail/xxxuser file was 700+mb. I cleared it. I have all my mail on my desktop. If I miss a few things now, its ok, if I can fix this horrendous deluge. thanks in advance -Brian __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: Sa-update and proxy servers
Michael Scheidell [EMAIL PROTECTED] [24-06-2006 17:28]: [...] I now need to set a proxy server to do sa-updates through, but could not find any information on settings for a proxy server. echo 'alias sa-update=http_proxy=http://login:[EMAIL PROTECTED]:port/ ' \ 'sa-update' ~/.profile ? -- Radosław Zieliński [EMAIL PROTECTED] pgpduYYm9le1E.pgp Description: PGP signature
Re: razor2 - strange --lint messages
Hi, Did you do: 'razor-admin -discover' 'razor-admin -register' After installing razor? KR Nigel On Sun, 25 Jun 2006 10:58:53 +0200, numE [EMAIL PROTECTED] wrote: Hi, i installed spamassassin and razor2 via cpan. but i get this message, when running spamassassin --lint --- [729] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [729] dbg: razor2: razor2 is not available [729] dbg: plugin: registered Mail::SpamAssassin::Plugin::Razor2=HASH(0x92726b8) --- razor2 not availiable, but it was registered?! hmm? greetings, Thadeus
RE: Sa-update and proxy servers
Wonder if that would help the cronjob. Guess that might do it. Especially since sa-update does use the LWP libaries. That's just like *NIX utilities. 57 varaties of how to do the same job.
Re: razor is not working ...
Hmm, I know I installed razor, because I just ran a razor-report. razor-report -v Razor Agents 2.82, protocol version 3 Any idea? why spamassassin assassin is saying it's not available. config in local.cf: use_razor2 0 razor_config /etc/mail/spamassassin/.razor/razor-agent.conf I had try both use_razor2 1 and use_razor2 0, and it still gets the same error. My spam start up option: SPAMDOPTIONS=-d -c -m5 -H Is there anything wrong with my setup? Thanks.
SpammAssassin on WHM/Cpanel
I have a reseller shared hosting account under WHM/Cpanel software. (In other words I’m not a systems admin) The Cpanel is a control panel for web hosting. The implementation includes Spamassassin (SA) From what I have seen on shared hosting, Cpanel is probably the most heavily used domain hosting control panel and consequently the way a large proportion of standard SA users obtain access to SA. There seems to be some problems either in Cpanel or SA in the places where I have used it. As implemented, the various parameters for SA can only be set from the Cpanel control panel. Only the administrator of the domain has access to this. While the individual email users do get their own email control panel, it does not contain any ability to turn on and set up the SA parameters. Since each actual email user is likely to have a different email client which they may or may not want to integrate with SA and different needs in terms of spam elimination versus ensuring no email is inadvertently missed, the setup should be done by the email user, not the domain administrator. Questions: 1) Is there some way for the server system administrator who is using WHM/CPanel to change the default configuration so that SA setup is on the Webmail control panel rather than the Cpanel interface? If so, what do I have to tell the system admin to do? 2) Assuming there is no easy way to do this, is the problem in the way cpanel is implemented or in the way SA is implemented. 3) I notice mention of the need to feed spam ham to SA. The cpanel interface doesn't seem to have any interface for the email user to tell it what was identified as spam was ham or that what was specified as ham was in fact spam. Should there be such an interface or is there one already that I just haven't understood. With my Mozilla Mail client I keep telling it all the time what I believe is junk and what is not. Thanks Ken
Re: Re: razor is not working ...
Hi, Did you enable: loadplugin Mail::SpamAssassin::Plugin::Razor2 in your /etc/mail/spamassassin/v310.pre file? KR Nigel On Sun, 25 Jun 2006 09:51:50 -0400, Screaming Eagle [EMAIL PROTECTED] wrote: Hmm, I know I installed razor, because I just ran a razor-report. razor-report -v Razor Agents 2.82, protocol version 3 Any idea? why spamassassin assassin is saying it's not available. config in local.cf: use_razor2 0 razor_config /etc/mail/spamassassin/.razor/razor-agent.conf I had try both use_razor2 1 and use_razor2 0, and it still gets the same error. My spam start up option: SPAMDOPTIONS=-d -c -m5 -H Is there anything wrong with my setup? Thanks.
Re: Re: razor is not working ...
Yeah, it's in init.pre and I just moved it to v312.pre and it's still have the same error. Any idea?
Bounced messages for email from forged email addresses for a hosted domain - need opinions
Does it do any good to complain to the ISP that accepted the original email with a forged email address that uses a domain name that I administer? I administer a number of domain names that are being used in the forged email addresses for spam that is sent to recipients on other servers. Some people call this a JoeJob. Obviously, I can't prevent this, although I can use SPF with HARDFAIL to help the recipient server identify that the email address has been forged. The problem is that my server receives numerous bounced messages from the recipient servers because the recipients do not exist or do not accept the spam. Of course, I can reject or delete the bounced messages if the forged email address does not exist. However, I would like to be more proactive and complain to the ISP that accepted the original email. The bounced message often includes the Full Headers for the original email message. Most of these emails originate on many different IP Addresses. I assume that these machines are zombies or part of a network of machines that spammers control. Will the ISP take action if they receive a complaint? The ISPs are all of the world, not concentrated in one region or country. Jim - Jim Hermann [EMAIL PROTECTED] UUism Networks http://www.UUism.net Ministering to the Needs of Online UUs Web Hosting, Email Services, Mailing Lists -
RE: SPF_SOFTFAIL not working properly
On 6/24/2006 11:14 AM, Jim Hermann - UUN Hostmaster wrote: How do I debug the SPF Module during SA Operations? I have had another email marked as SPF_SOFTFAIL during the first receipt and the From domain does not have a TXT SPF record. When I isolated the message and ran it again, it was processed without any errors. I suspect that there is a problem with the timeout routines in Mail::SPF::Query and Mail::Spamassassin::Plugin::SPF. When I increased the spf_timeout to 15, I did not have any false positives. 5 seconds is a long time to do the DNS queries for just an SPF check. Any time the timeout is exceeded we explicitly treat this as a SOFTFAIL. Perhaps we'd be better off just having no result at all. Considering that SOFTFAIL has a score, I recommend that a SPF timeout be something other than SOFTFAIL, probably the same as none. It needs it's own comment too. Users need to know what happened. I changed lines 318-319 in SPF.pm to: $result ||= 'error'; # changed from softfail to error - jwh 6/24/06 $comment ||= 'lookup failed'; # added comment for error - jwh 6/24/06 Here is the result for my test file with the timeout set to the default of 5 seconds: [25710] dbg: spf: checking EnvelopeFrom (helo=BABY, ip=125.214.61.195, [EMAIL PROTECTED]) | relmaxtop.com new: ipv4=125.214.61.195, [EMAIL PROTECTED], helo=BABY |marileestewart relmaxtop.com localpart is marileestewart || marileestewart relmaxtop.com DirectiveSet-new(): doing TXT query on relmaxtop.com || marileestewart relmaxtop.com myquery: doing TXT query on relmaxtop.com [25710] dbg: spf: query for [EMAIL PROTECTED]/125.214.61.195/BABY: result: error, comment: lookup failed It works for me. Jim
Re: SpammAssassin on WHM/Cpanel
At 07:11 25-06-2006, Ken Dawber wrote: I have a reseller shared hosting account under WHM/Cpanel software. (In other words I'm not a systems admin) The Cpanel is a control panel for web hosting. The implementation This is the first time I see someone saying that. :) 1) Is there some way for the server system administrator who is using WHM/CPanel to change the default configuration so that SA setup is on the Webmail control panel rather than the Cpanel interface? If so, what do I have to tell the system admin to do? That should be possible if the system admin writes the code to do that. 2) Assuming there is no easy way to do this, is the problem in the way cpanel is implemented or in the way SA is implemented. The restrictions are in CPanel. 3) I notice mention of the need to feed spam ham to SA. The cpanel interface doesn't seem to have any interface for the email user to tell it what was identified as spam was ham or that what was specified as ham was in fact spam. Should there be such an interface or is there one already that I just haven't understood. SpamAssassin does not come with an interface. The interface you see is implemented by CPanel. If you have ssh access, you can use sa-learn. Regards, -sm
Re: On bichromatic GIF stock spam
On Sat, 24 Jun 2006, Philip Prindeville wrote: the text and the images. The spammers send multipart/alternative because they want the text/plain section to confuse the Bayes filters, since they know it won't be rendered... It seems to me that right there is the spam sign you should be looking for, then, and save all the heavy-duty mathematical analysis of the images themselves. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...every time I sit down in front of a Windows machine I feel as if the computer is just a place for the manufacturers to put their advertising. -- fwadling on Y! SCOX --
RE: SpammAssassin on WHM/Cpanel
-Original Message- From: Ken Dawber [mailto:[EMAIL PROTECTED] Sent: Sunday, June 25, 2006 10:12 AM To: users@spamassassin.apache.org Subject: SpammAssassin on WHM/Cpanel I have a reseller shared hosting account under WHM/Cpanel software. (In other words I’m not a systems admin) The Cpanel is a control panel for web hosting. The implementation includes Spamassassin (SA) From what I have seen on shared hosting, Cpanel is probably the most heavily used domain hosting control panel and consequently the way a large proportion of standard SA users obtain access to SA. There seems to be some problems either in Cpanel or SA in the places where I have used it. As implemented, the various parameters for SA can only be set from the Cpanel control panel. Only the administrator of the domain has access to this. While the individual email users do get their own email control panel, it does not contain any ability to turn on and set up the SA parameters. Since each actual email user is likely to have a different email client which they may or may not want to integrate with SA and different needs in terms of spam elimination versus ensuring no email is inadvertently missed, the setup should be done by the email user, not the domain administrator. I don't know anything about the programming internals of Cpanel, but I do have several Cpanel admin (website) accounts. So, generally speaking... Cpanel uses a very very basic implementation of SA. It is best not to even use it IMO. It is nearly worthless. It does not have most tests enabled that the full SA does, when setup correctly. It also does not use bayes. What you see in Cpanel for SA is what you get. Remember, with Cpanel you are sharing a SINGLE server with many other websites in a shared hosting environment. That is why Cpanel has to set it up so generic. It would be best to put a real SA server in front of your Cpanel inbound email server. Set it up the way you want it for your domain. The SA server can be at a different location, and use Postfix transport map to send the SA filtered email back to the Cpanel server for delivery. Disable Cpanel SA implementation all together. (that is how I run it)
Re: On bichromatic GIF stock spam
John D. Hardin wrote: On Sat, 24 Jun 2006, Philip Prindeville wrote: the text and the images. The spammers send multipart/alternative because they want the text/plain section to confuse the Bayes filters, since they know it won't be rendered... It seems to me that right there is the spam sign you should be looking for, then, and save all the heavy-duty mathematical analysis of the images themselves. A lot of mailers generate multipart/alternative legitimately, though if you ask me sending both text/plain and text/html is bogus and no one should configure their mailer to do that. -Philip
Re: On bichromatic GIF stock spam
On Sun, 25 Jun 2006, Philip Prindeville wrote: John D. Hardin wrote: On Sat, 24 Jun 2006, Philip Prindeville wrote: The spammers send multipart/alternative because they want the text/plain section to confuse the Bayes filters, since they know it won't be rendered... It seems to me that right there is the spam sign you should be looking for, then, and save all the heavy-duty mathematical analysis of the images themselves. A lot of mailers generate multipart/alternative legitimately, No, I was thinking of multipart/alternative where one of the alternative streams is nothing but images. That doesn't strike me as legitimate. Can anyone think of a scenario where images *are* a legitimate alternative representation of text? -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...every time I sit down in front of a Windows machine I feel as if the computer is just a place for the manufacturers to put their advertising. -- fwadling on Y! SCOX --
Re: Bounced messages for email from forged email addresses for a hosted domain - need opinions
On 25-Jun-06, at 12:58 PM, "Jim Hermann - UUN Hostmaster" [EMAIL PROTECTED] wrote:Does it do any good to complain to the ISP that accepted the original emailwith a forged email address that uses a domain name that I administer?I administer a number of domain names that are being used in the forgedemail addresses for spam that is sent to recipients on other servers. Somepeople call this a JoeJob. Obviously, I can't prevent this, although I canuse SPF with HARDFAIL to help the recipient server identify that the emailaddress has been forged.The problem is that my server receives numerous bounced messages from therecipient servers because the recipients do not exist or do not accept thespam. Of course, I can reject or delete the bounced messages if the forgedemail address does not exist.However, I would like to be more proactive and complain to the ISP thataccepted the original email. The bounced message often includes the FullHeaders for the original email message. Most of these emails originate onmany different IP Addresses. I assume that these machines are zombies orpart of a network of machines that spammers control. Will the ISP takeaction if they receive a complaint? The ISPs are all of the world, notconcentrated in one region or country.Jim-Jim Hermann [EMAIL PROTECTED]UUism Networks http://www.UUism.netMinistering to the Needs of Online UUsWeb Hosting, Email Services, Mailing Lists Personally, nowadays I believe bouncing messages back to the alleged sender is a waste of resources and bandwidth with the amount of forgery going on. I wish that admins would configure their servers to stop that practice. Complaining to those admins I'm afraid will be an exercise in futility as trying to reach the right person will be nearly impossible and risks becoming a full time job in itself. My vote would be for setting SPF for HARDFAIL as soon as is feasible, after all dealing with forgery is what SPF was designed for. Sure, unless those ISPs are checking against SPF it may not help but that situation is getting better all the time as more and more SPF is being deployed. --Gino CerulloPixel Point Studios21 Chesham DriveToronto, ON M3M 1W6T: 416-247-7740F: 416-247-7503
Re: Bounced messages for email from forged email addresses for a hosted domain - need opinions
On Sun, 25 Jun 2006, Gino Cerullo wrote: Does it do any good to complain to the ISP that accepted the original email with a forged email address that uses a domain name that I administer? Personally, nowadays I believe bouncing messages back to the alleged sender That's not what he's asking. He wants to know whether asking ISPs to implement SPF checks (where they don't yet check SPF) will work. My vote would be for setting SPF for HARDFAIL as soon as is feasible, after all dealing with forgery is what SPF was designed for. Sure, unless those ISPs are checking against SPF it may not help but that situation is getting better all the time as more and more SPF is being deployed. So how do we increase the use of SPF checks? -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...every time I sit down in front of a Windows machine I feel as if the computer is just a place for the manufacturers to put their advertising. -- fwadling on Y! SCOX --
Re: Bounced messages for email from forged email addresses for a hosted domain - need opinions
On 25-Jun-06, at 5:51 PM, John D. Hardin wrote: On Sun, 25 Jun 2006, Gino Cerullo wrote: Does it do any good to complain to the ISP that accepted the original email with a forged email address that uses a domain name that I administer? Personally, nowadays I believe bouncing messages back to the alleged sender That's not what he's asking. He wants to know whether asking ISPs to implement SPF checks (where they don't yet check SPF) will work. I'm not convinced that is what he meant but he wasn't clear about it so I wont argue with you on that point. I still think trying to contact those ISPs directly will be an exercise in futility but if he wants to try it certainly wont hurt. My vote would be for setting SPF for HARDFAIL as soon as is feasible, after all dealing with forgery is what SPF was designed for. Sure, unless those ISPs are checking against SPF it may not help but that situation is getting better all the time as more and more SPF is being deployed. So how do we increase the use of SPF checks? Ahhh! The million dollar question and one probably better suited to the SPF mailing lists...but since you asked. Evangelize. If you believe in a technology and it's benefits talk to people about it and hopefully your passion will rub off on them and they will turn around and do the same. Word-of-mouth is one of the best ways to spread...well...'The Word' but it works best when you are talking to people who value your opinion or at least are asking for it directly. That's why I feel an email from a stranger on the other side of the world whose tired of dealing with you bouncing messages back to him probably will have little influence. Although, it may make the person on the other side of that email aware of a tech they may not otherwise be aware of, that's why I also say it couldn't hurt. -- Gino Cerullo Pixel Point Studios 21 Chesham Drive Toronto, ON M3M 1W6 T: 416-247-7740 F: 416-247-7503
RE: Bounced messages for email from forged email addresses for a hosted domain - need opinions
Personally, nowadays I believe bouncing messages back to the alleged sender That's not what he's asking. He wants to know whether asking ISPs to implement SPF checks (where they don't yet check SPF) will work. I'm not convinced that is what he meant but he wasn't clear about it so I wont argue with you on that point. There are at least two ISPs involved: Spammer A = SMTP Server B = Recipient Server C = (Bounce) = Forged Email Server D As the Email Server D, I was asking about complaining to SMTP Server B, since Spammer A was probably an authenticated user. I already use SPF HARDFAIL, so I could ALSO complain to Recipient Server C about NOT using SPF to reject the email from SMTP Server B. Jim
Re: Bounced messages for email from forged email addresses for a hosted domain - need opinions
On 25-Jun-06, at 7:22 PM, John D. Hardin wrote: On Sun, 25 Jun 2006, Jim Hermann - UUN Hostmaster wrote: There are at least two ISPs involved: Spammer A = SMTP Server B = Recipient Server C = (Bounce) = Forged Email Server D I don't think that's the case for most spam these days. For a spambotnet of compromised home systems, you'll see: Spambot A = Recipient Server C = (Bounce) = Forged Email Server D I think you've just proved my point. It's too hard to try and determine who to contact in these situations I already use SPF HARDFAIL, so I could ALSO complain to Recipient Server C about NOT using SPF to reject the email from SMTP Server B. Agreed. Again, this has merit but your approach will determine how successful you are. Also, it may be easier to determine who to approach about the subject. -- Gino Cerullo Pixel Point Studios 21 Chesham Drive Toronto, ON M3M 1W6 T: 416-247-7740 F: 416-247-7503
Re: On bichromatic GIF stock spam
On Sun, 25 Jun 2006, John D. Hardin wrote: On Sun, 25 Jun 2006, Philip Prindeville wrote: John D. Hardin wrote: On Sat, 24 Jun 2006, Philip Prindeville wrote: The spammers send multipart/alternative because they want the text/plain section to confuse the Bayes filters, since they know it won't be rendered... [snip..] No, I was thinking of multipart/alternative where one of the alternative streams is nothing but images. That doesn't strike me as legitimate. Can anyone think of a scenario where images *are* a legitimate alternative representation of text? Sounds good in theory but difficult to implement. The HTML part is not empty, contains comments, font control junk, and 'glue' to stitch together those multiple fragment gifs. So you'd have to run it thru a html parsing engine (al'a lynx or pine) to determine that the textural components render down to nothing. Here's what works for me; I wrote a collection of custom rules that recognizes that particular HTML structure and gave it a small but sufficient score. (sufficient in this case is enough to make up the difference between my spam threshold and a BAYES_99 score but not so large as to cause FPs for legit messages that also have that structure). So that MIME structure + BAYES_99 == spam. Then by keeping bayes reasonably well fed those things get hit pretty reliably. That way network test (RBLS, Razor, DCC, etc) are just icing on the cake. Dave -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
Re: On bichromatic GIF stock spam
On Sun, 25 Jun 2006, David B Funk wrote: On Sun, 25 Jun 2006, John D. Hardin wrote: No, I was thinking of multipart/alternative where one of the alternative streams is nothing but images. That doesn't strike me as legitimate. Can anyone think of a scenario where images *are* a legitimate alternative representation of text? Sounds good in theory but difficult to implement. The HTML part is not empty, contains comments, font control junk, and 'glue' to stitch together those multiple fragment gifs. D'oh! I forgot about the HTML glue... So it denegenerates to a standard multipart/alternative text + html message. Rats. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...every time I sit down in front of a Windows machine I feel as if the computer is just a place for the manufacturers to put their advertising. -- fwadling on Y! SCOX --
Fwd: Detecting active config as a user
update- after readng more docs ;-) I have verified that SA is active and reachable from my acct. using SA sampleMsg.txt. Debug shows that the Bayes filter is not being used, because debug: cannot use bayes on this message; db not initialised yet I just db_dump'd and db_loaded bayes_toks, same error. However, the result _is_ scored and marked. Razor2 is found, apparently. pyzor is not found, apparently. my user_prefs is working, 'cause my lowered score to 4 is acknowledged. spamassassin --lint comes back clear [no output] aside from fixing the bayes and pyzor, what I really want to do is just have the thing run at all. For that, the theory of operation would be helpful (newb warning) So I have a file in /var/mail/xxxuser. It is rw for owner and group. I want to run the SA filter on it, periodically. Whatever is set up now, is not working. spamd has something to do with this... How to proceed ? thanks in advance -brian --- Brian Hamlin [EMAIL PROTECTED] wrote: Date: Sun, 25 Jun 2006 00:46:29 -0700 (PDT) From: Brian Hamlin [EMAIL PROTECTED] Subject: Detecting active config as a user To: users@spamassassin.apache.org Hello All- My primary mail acct is hosted on a legacy Soalis 5.8 sun box, with SA 2.6 installed. I have been getting a ton of mail - 8k msgs per day, to my desktop client. It killed a hard drive! So I am attempting to look into the config myself. No one else has time to do this for this acount. I read a lot of docs. I found the .spamassassin dir. In user_prefs, I added a long list of whitelist_from, 1 blacklist_from, set whitelist value to 1, and lowered score needed to 4. I found the auto white list files with a lock dating back to may. That didn't look right to me, so I rm'd the lock file, and cleared auto-whitelist.dir and auto-whitelist.pag. I ran sa-learn with a multi-thousand spam mbox. That seemed to execute fine, and the bayes_toks/bayes_sen were updated. But I am suspicious that no emails landing on my client have the SA X-Headers. When looking at the list of processes, I see a bunch of sendmail/imapd, and occasionally some spamc's. I have no admin privs on this machine. How can I verify that SA is working on each mail I am getting? Is there some other step I should take? btw- my /var/mail/xxxuser file was 700+mb. I cleared it. I have all my mail on my desktop. If I miss a few things now, its ok, if I can fix this horrendous deluge. thanks in advance -Brian __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: On bichromatic GIF stock spam
On Sun, Jun 25, 2006 at 12:49:17PM -0600, Philip Prindeville wrote: No, I was thinking of multipart/alternative where one of the alternative streams is nothing but images. That doesn't strike me as legitimate. Can anyone think of a scenario where images *are* a legitimate alternative representation of text? Sure, it's the same idea as having PDF as an alternate representation. A picture is worth a thousand words and all that. However, with that said, the question/answer isn't actually telling you anything useful in this situation. You want to know whether or not m/a parents w/ non-text children is a useful spam sign... Well, let's instrument it and see... run the spam v. ham numbers. It's not bad (taking into account multipart/related children as well): 1.909 2.3080 0.1.000 1.000.01 T_MULTIPART_ALT_NON_TEXT -- Randomly Generated Tagline: I'd rather get it right than get it done on Tuesday. - J. Michael Straczynski pgpR2CteogFUt.pgp Description: PGP signature
was: detect active config, now: Start it Up
all- i read the theory of operation on the wiki for spamd. Still wondering... Since I am not installing a new SA as a user, the existing SA is there, but for whatever reason is not active for my acct, yet is reachable and basically functioning... There must be a magic line in the original install scripts that setup spamd. I want to run that line, now, for my user acct. There was a typo in the original post, the OS is Solaris, but referred to as SunOS, 5.8, as best as I can gather. Also, ironically, I just noticed that the Yahoo acct I am using to send this with ('cause my mail is broken) has at the bottom 'we have the best spam filter'. hmmm Thanks in advance for any hints or insights -Brian __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Examples of Received Headers
Here are examples of the Received Headers for the type of spam that are being sent with forged email addresses for a domain that I host. These at the last 10 bounced messages that I received, so it is fairly representative. Granted, 3 out of 10 messages originated in Romania. However, 3 out of 10 messages originated in the US. I am looking at the first (bottom) Received Header in each case. I send complaints to the abuse email address listed in the WHOIS record for this IP Address. Do you think that these are victims of some sort that their ISP would want to help? Jim BTW, Notice that the HELO signatures have an identifying characteristic: ljxr.pzt mclbfk.wdui zsgnwd.zctjrq tmoju.zxlvfn sq.ywima sejah.nehj btm.ssp ggav monmib yo.iszxuj - They look ramdomized to me. Received: from p7143-ipbf1101marunouchi.tokyo.ocn.ne.jp (p7143-ipbf1101marunouchi.tokyo.ocn.ne.jp [124.101.228.143]) by ms18.hinet.net (8.8.8/8.8.8) with SMTP id JAA13691 for [EMAIL PROTECTED]; Mon, 26 Jun 2006 09:33:54 +0800 (CST) Received: (qmail 10158 invoked from network); Mon, 26 Jun 2006 10:33:43 +0900 Received: from unknown (HELO ljxr.pzt) (124.101.173.135) by p7143-ipbf1101marunouchi.tokyo.ocn.ne.jp with SMTP; Mon, 26 Jun 2006 10:33:43 +0900 Received: from Unknown [85.186.176.196] by mailgateway - SurfControl E-mail Filter (5.0.1); Sat, 24 Jun 2006 14:42:32 -0400 Received: from [85.186.170.61] (helo=mclbfk.wdui) by intesrl.b.astral.ro with smtp (Exim 4.43) id 1FuD5L-0002Zo-En; Sat, 24 Jun 2006 21:42:23 +0300 Received: from smtp.4sir.com ([192.168.1.5]) by DC01.FAVUS.Local with Microsoft SMTPSVC(6.0.3790.1830); Sat, 24 Jun 2006 23:31:43 +0100 Received: from pool-71-114-71-136.washdc.dsl-w.verizon.net ([71.114.71.136]) by smtp.4sir.com with Microsoft SMTPSVC(6.0.3790.1830); Sat, 24 Jun 2006 23:33:21 +0100 Received: from [71.114.98.170] (helo=zsgnwd.zctjrq) by pool-71-114-71-136.washdc.dsl-w.verizon.net with smtp (Exim 4.43) id 1FuGgL-0005kC-Ii; Sat, 24 Jun 2006 18:32:49 -0400 Received: from mx11.singnet.com.sg (mx11.singnet.com.sg [165.21.74.121]) by oxygen.singnet.com.sg (8.13.6/8.13.6) with ESMTP id k5ONX3ho031563 for [EMAIL PROTECTED]; Sun, 25 Jun 2006 07:33:03 +0800 Received: from host115-247-static.73-81-b.business.telecomitalia.it (host115-247-static.73-81-b.business.telecomitalia.it [81.73.247.115]) by mx11.singnet.com.sg (8.13.6/8.13.6) with SMTP id k5ONWqkY002113 for [EMAIL PROTECTED]; Sun, 25 Jun 2006 07:32:55 +0800 Received: (qmail 23527 invoked from network); Sun, 25 Jun 2006 01:42:22 +0200 Received: from unknown (HELO tmoju.zxlvfn) (81.73.95.50) by host115-247-static.73-81-b.business.telecomitalia.it with SMTP; Sun, 25 Jun 2006 01:42:22 +0200 Received: (qmail 26787 invoked from network); 25 Jun 2006 00:33:52 - Received: from unknown (HELO qsmtp-mx-06) ([192.168.220.21]) (envelope-sender [EMAIL PROTECTED]) by 0 (qmail-ldap-1.03) with SMTP for [EMAIL PROTECTED]; 25 Jun 2006 00:33:52 - Received: from unknown (HELO pool-71-114-71-136.washdc.dsl-w.verizon.net) (71.114.71.136) by qsmtp-mx-06.arnet.net.ar with SMTP; 25 Jun 2006 00:31:32 - Received: from sq.ywima ([71.114.122.226]) by pool-71-114-71-136.washdc.dsl-w.verizon.net (8.13.2/8.13.2) with SMTP id k5P0cKSJ019453; Sat, 24 Jun 2006 20:38:20 -0400 Received: (qmail 392 invoked by uid 509); 18 Jun 2006 02:41:33 - Received: from 24.8.155.205 by unimed.mail (envelope-from [EMAIL PROTECTED], uid 507) with qmail-scanner-1.25 (clamdscan: 0.86.2/1099. uvscan: v4.3.20/v4307. Clear:RC:0(24.8.155.205):. Processed in 2.367968 secs); 18 Jun 2006 02:41:33 - Received: from c-24-8-155-205.hsd1.co.comcast.net (24.8.155.205) by 0 with SMTP; 18 Jun 2006 02:41:30 - Received: from [24.8.54.30] (helo=sejah.nehj) by c-24-8-155-205.hsd1.co.comcast.net with smtp (Exim 4.43) id 1FrnEa-0003l9-6J; Sat, 17 Jun 2006 20:41:56 -0600 Received: from unknown (HELO intesrl.b.astral.ro) (85.186.176.196) by 0 with SMTP; 25 Jun 2006 08:25:34 - Received: from btm.ssp ([85.186.101.58]) by intesrl.b.astral.ro (8.13.3/8.13.3) with SMTP id k5P8PpYD071896; Sun, 25 Jun 2006 11:25:51 +0300 Received: (from ciwr [210.91.30.56]) by inns-smtp1.goldenrule.com (SMSSMTP 4.1.9.35) with SMTP id M2006062507533704113 for [EMAIL PROTECTED]; Sun, 25 Jun 2006 07:53:38 -0400 Received: from [210.91.212.147] (helo=ggav) by ciwr with smtp (Exim 4.43) id 1FuTHa-0001IJ-ME; Sun, 25 Jun 2006 21:00:06 +0900 Received: from intesrl.b.astral.ro ([85.186.176.196]) by offsite1.bytemark.co.uk with smtp (Exim 4.34) id 1FuUvq-0005IC-Dx for [EMAIL PROTECTED]; Sun, 25 Jun 2006 13:45:47 + Received: from [85.186.196.87] (helo=monmib) by intesrl.b.astral.ro with smtp (Exim 4.43) id 1FuUuQ-0002YS-Od; Sun, 25 Jun 2006 16:44:18 +0300 Received: from jjwd
RE: detect active config, now: Start it Up
-Original Message- From: Brian Hamlin [mailto:[EMAIL PROTECTED] Sent: Sunday, June 25, 2006 11:24 PM To: users@spamassassin.apache.org Subject: was: detect active config, now: Start it Up all- i read the theory of operation on the wiki for spamd. Still wondering... Since I am not installing a new SA as a user, the existing SA is there, but for whatever reason is not active for my acct, yet is reachable and basically functioning... I'm not sure anyone is going to be able to answer your questions since you don't seem to be coming at it from the admin side. But I can tell you that SA requires you to use the 'filter' user account (whatever that is on your system) to send an email through SA. So, make sure you SU (super user) to use the filter user account that calls SA before you try to send a test email through SA.
Re: [SPAM] Examples of Received Headers
On Sun, 25 Jun 2006, Jim Hermann - UUN Hostmaster wrote: Here are examples of the Received Headers for the type of spam that are being sent with forged email addresses for a domain that I host. The Received headers in spams cannot be trusted, except for the Received headers put in by relays run by *you* or someone you trust. Received headers are trivially easy to forge and cary very little useful information in spams. These at the last 10 bounced messages that I received, so it is fairly representative. It's not clear from your description whether these Received headers are from the spams or from the bounces. I send complaints to the abuse email address listed in the WHOIS record for this IP Address. As I said above, you can't trust a Received header unless your server put it there. If you are responding to the earliest Received header in a spam, then you are at best wasting your time, at worst confirming the validity of your email address. Do you think that these are victims of some sort that their ISP would want to help? You need to contact the ISP that sent you the bounce message, NOT the ISP that sent the spam. The ISP that the spammer targeted is the one you want to talk into implementing SPF checks. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Apparently the Bush/Rove idea of being a fiscal conservative is to spend money like there's no tomorrow, run up huge deficits, and pray the Rapture happens before the bills come due. -- atul666 in Y! SCOX forum ---
RE: Start it up
I am putting along with Perl. I just wrote a script that loops through my mail, reads a msgs, sends it to SA, then writes it out to a nw mbox. When it is done, it copies the new mbox into the system one. * horribly slow * will miss mails * mayeb I made more mistakes but it is better than the alternative at the moment ideas still welcome. -Brian ps- yes, I am just a user here.. If I had somethin gvery specific to ask an admin, maybe I could get them to do it for me.. I am not sure what that might be in terms of the filter account, but I appreciate the cycles... __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Re: Bounced messages for email from forged email addresses for a hosted domain - need opinions
On Montag, 26. Juni 2006 01:36 Gino Cerullo wrote: Spambot A = Recipient Server C = (Bounce) = Forged Email Server D I think you've just proved my point. It's too hard to try and determine who to contact in these situations Do it like Spamcop does with SPAM: Contact *everybody* in the chain, and complain to them. Some sort of SPFcop would be nice for that.. mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660/4156531 .network.your.ideas. // PGP Key:curl -s http://zmi.at/zmi3.asc | gpg --import // Fingerprint: 44A3 C1EC B71E C71A B4C2 9AA6 C818 847C 55CB A4EE // Keyserver: www.keyserver.net Key-ID: 0x55CBA4EE pgpSLPNPC7RR8.pgp Description: PGP signature
RE: [SPAM] Examples of Received Headers
On Sun, 25 Jun 2006, Jim Hermann - UUN Hostmaster wrote: Here are examples of the Received Headers for the type of spam that are being sent with forged email addresses for a domain that I host. The Received headers in spams cannot be trusted, except for the Received headers put in by relays run by *you* or someone you trust. Received headers are trivially easy to forge and cary very little useful information in spams. These are Received Headers provided by the ISP that sent me the bounce message, not because of spam, but because the recipient did not exist. They put the Original Spam Full Headers in the message that they sent to me. If I can trust that my server identified the last server and the last server was the recipient server, then I think I can trust that they sent me the Full Headers as they received them. Yes, I know that the prior Received Headers could be forged. I don't think that these spambots are bothering to try to forge the Received Headers. Usually the first two Received Headers have IP Addresses assigned to the same ISP. SPF is not enough. It does not eliminate the zombie or spambot. Jim
Re: Bounced messages for email from forged email addresses for a hosted domain - need opinions
Michael Monnerie [EMAIL PROTECTED] writes: Do it like Spamcop does with SPAM: Contact *everybody* in the chain, and complain to them. Some sort of SPFcop would be nice for that.. Or even use SpamCop itself. Bounces to forged emails are now considered legitimate for reporting to spamcop. This is what I do, together with a note saying that I use SPF and that it is not a good idea to accept email (using SMTP) and subsequently bounce it to a forged address.