Re: DNSing MX to 127.0.0.1: Ruleset (or something) for this?
>> >> Ken A wrote: >> > Don't accept mail for non-existent users. Your MTA should reject it. >> >> Yeah, we should. Not quite there yet. >> >> In spite of that, I thought it may be a good test to do anyway. Even if >> the mail is addressed to an existent user, if the MX for the sender >> domain is DNSed to the localhost address, there's no way (in my >> thinking) that it's a legitimate email, unless a clueless admin has >> accidentally DNSed the MX for their domain to be the localhost address. >> >> A mechanism that does what I propose would probably have a pretty short >> useful life anyway, I suppose - the arms race would move forward, such >> that spammers wouldn't DNS their MXes to the localhost address when such >> a test was prevalent in the community. >> Hi, I found a few of these trying to send mails people ording stuff through the website and then getting an order confirmation etc. It seems that one particular dns provider's web form makes it easy to configure that rubbish, and when I mailed the dns provider about the fact, I had the impression they did not even understand my concerns Cure: a) the web order form checks whether there is an MX or A anyway, so it can also check for 127 or 192.168 b) changes to the MTA so that an unroutable return path is treated as no return path __unless the mail came in from localnet in the first place__ I found a few more stupid admin setups as well ... like a municipal authority sending their incoming mail back to the government mx that just scanned the mail for them Wolfgang Hamann
Re: Report
[EMAIL PROTECTED] wrote: I don't understand your point. I run a Mac. I don't care for _any_ .exes period. You could use your MTA to do a light content filtering, so it will reject mail with .exe atachment at MTA level. Try postfix. --beast
Re: Rule for non-DK-signed mail from yahoo
At 11:03 14-08-2006, Mark Martinec wrote: Having received a couple of messages faking to be from yahoo, despite FORGED_YAHOO_RCVD and few other rules firing, the final score was not high enough. Since Yahoo! is signing their outgoing mail with DomainKeys, I came up with: header __L_FROM_YAHOOFrom:addr =~ /[EMAIL PROTECTED]/i meta UNVERIFIED_YAHOO __L_FROM_YAHOO && !DK_VERIFIED priority UNVERIFIED_YAHOO 500 scoreUNVERIFIED_YAHOO 5.0 which seems to do its job. The score is too high. Some From: yahoo.com mail may not be DK signed. DK verification may fail if the mail goes through mailing lists. Regards, -sm
Re: SPF and SORBS problems
On 8/14/2006 6:45 PM, Xepher wrote: I've got a server configured with postfix and spamassassin. The mailserver is the only one for the domain, and thus receives mail from other servers, as well as letting users connect directly (with smtp auth) to send mail. Everything works fine, EXCEPT when users send email to each other. In those cases, the emails get tagged both by SPF_FAIL and RCVD_IN_SORBS_DUL as those tests see the email as coming from the user's personal IP address. I've tried whitelist_from_spf [EMAIL PROTECTED] in local.cf, but it doesn't work. Messages still get tagged with SPF_FAIL. I didn't see any similar option for the RBL stuff. Is there any way to do conditional tests, such that SMTP Auth messages get whitelisted? I don't know if there's a way in postfix to add a header only to auth connections? All I could find for postfix was address rewriting stuff, nothing about conditional situations like an authenticated user. Any help would be appreciated, as I'd really rather not disable SPF and RBL completely. See the third heading on this wiki page that tells you how to resolve this specific issue: http://wiki.apache.org/spamassassin/DynablockIssues Daryl
Re: Report
2. the check isn't thorough enough because it doesn't consider other content-types whereby people hide executable attachments. Suggestion: you know the line in the plugin that is only checking the two content types. You know the other content types you want to check. Change the line in the plugin source, restart SA, and be done with it. If you want to avoid having to do the same thing in a future release, you can also submit a bug report in Bugzilla. Loren
Re: Report
On Mon, 14 Aug 2006, Robert Nicholson wrote: > You are failing to understand my point. > > To me any message that has a .exe attachment is spam. I understand you completely. You have internalized "bad email == spam". There are more nuances than that - bulk unsolicited commercial solicitations and email worms are different abuses of the email system, and the approaches to dealing with them properly and reliably are different enough that it's better to use separate tools to do so. > That's just how I work because I'm on a Mac therefore I'd like to > use check_microsoft_executable who's job it is to bump up the > score if there's an executable attachment. The problem right now > is that > > 1. this check is handled by the antivirus plugin. it probably > shouldn't be as bumping the score because there's an attachment has > nothing do to with anti-virus checking. > > 2. the check isn't thorough enough because it doesn't consider > other content-types whereby people hide executable attachments. *that* is the problem. Expecting SA to verify the MIME type of an attachment that is NOT used for delivering a commercial solicitation dilutes its focus on effectively filtering commercial solicitations. It's as wrong as trying to make an email virus filter try to behave as though unsolicited bulk emails were viruses. > Therefore. I don't care whether SA is an anti-virus tool or not > it's completely irrelevant to me. That's the view I would expect of an end user, not an administrator. Granted you've never claimed that you are an administrator. I hope that I've not offended you, I'm just trying to suggest that there are better and more appropriate alternatives to achieve what you seek. > >> SPAM is not always the same for everybody. > > > > Sure it is. Spam (please don't capitalize the entire word - Hormel > > gets annoyed) is Unsolicited Bulk Email. > > > >> In my case anything with .exe is SPAM because nobody will send me > >> a .exe > > > > Calling a worm "spam" does not make it spam. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The fetters imposed on liberty at home have ever been forged out of the weapons provided for defense against real, pretended, or imaginary dangers from abroad. -- James Madison, 1799 ---
Re: Using SA to prevent bouncing spam?
On Mon, 14 Aug 2006, Ole Nomann Thomsen wrote:
> Hi, in order to avoid bouncing spam back to the (almost certainly) faked
> sender-addresses, I thought I could use SA directly:
>
> Suppose I configure it to substitute "<>" for the sender/reply-to in any
> spam? That way spam-generated bounces would be dumped. Unfortunately It
> doesn't seem possible:
>
> * "rewrite_header from" will let met insert rfc 2822 comments but not
> substitute entirely.
>
> * "remove_header" and "add_header" will only let me work on "X-spam-*"
> headers.
>
> So am I left with writing my own wrapper here? That means a lot of testing
> and double-testing, as I don't feel particularly lucky today.
>
> - Ole.
Other people have already commented on the issue of bouncing spam.
One detail that I think you don't understand, mail routing is controlled
by the envelope-sender and envelope-recipient addresses, the addresses
in the headers are ignored for that purposes. In most configurations SA
only gets to see/change the headers, it does not get to mess with the
envelope addresses at all.
Thus even if you could get SA to change the header addresses it wouldn't
have your desired effect.
Only your MTA gets to play with the envelope addresses, so any re-routing
you want to to will have to be done at the MTA level.
You need to look at something like mailscanner or amvis-new which
integrate into your MTA.
--
Dave Funk University of Iowa
College of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include
Better is not better, 'standard' is better. B{
Re: SPF and SORBS problems
On Tue, August 15, 2006 02:23, Xepher wrote: > I tried them, and still have the exact same problem. Any other ideas? clear_internal_networks internal_networks 127.0.0.1 clear_trusted_networks trusted_networks trusted_networks 127.0.0.1 save my msg with full header and then test my msg with spamassassin 2>&1 -D -t mymsg you should see where the problem is then -- Benny
Re: Using SA to prevent bouncing spam?
On Monday 14 August 2006 01:44, Ole Nomann Thomsen wrote: > Hi, in order to avoid bouncing spam back to the (almost certainly) faked > sender-addresses, I thought I could use SA directly: Why would you bounce spam, with or without spamassassin? That is a MTA setting, and every MTA in existence today recommends you NOT bounce either spam or viri. -- _ John Andersen pgpOPoY5axDd2.pgp Description: PGP signature
Re: Rule for non-DK-signed mail from yahoo
Thanks Justin and Daryl. > > (a) Is "From:addr" rather than "EnvelopeFrom:addr" the right header to > > use? > I'd say yes. DK signs the message, not the envelope. I'm pretty sure > the current milters look for a From: header to decide on what > selector/etc to use. Right, DK (as well as DKIM) uses addresses in the header, not envelope. DK would choose Sender if it exists, otherwise a From, to obtain the signer domain. DKIM is more sophisticated (could use Resent-From,...), but basically, for direct mail the From header field is the most important one. > (b) are Y! signing all mail? I would have assumed some systems are not > yet using DK. This is a key question here. I'd hope yes, since Yahoo was the leading proponent in establishing this technology (now aiming for DKIM). Although their policy record still says 'testing' and 'signs SOME mail': $ host -t txt _domainkey.yahoo.com t=y\; o=~\; n=http://antispam.yahoo.com/domainkeys I think they are just conservative, trying to avoid some broken recipient's mailer from rejecting their genuine mail, or to avoid problems with mailing lists invalidating signatures when their user posts there. > In 3.1.x, you have to set priority manually, unfortunately, to be higher > than both of the subrules. in 3.2.x, it'll do that automatically for you. Thanks for the info. > Personally I'd cut the score in half. Ok, perhaps. > Slow DNS could cause FPs -- I've seen it happen > on mail from rogers.com which Y! runs. Interesting. Further experience is welcome. The _domainkey.yahoo.com TXT policy record has TTL set to two hours, and one of their public keys (s1024._domainkey.yahoo.com) has a lifetime of 24 hours - so a local caching DNS resolver is likely to retrieve the policy from its cache, or from any one of the 5 registered Yahoo name servers. As far as I can tell, it is a global Yahoo thing, not something pertaining to one or another of their servers. What about gmail.com? They seem to be signing their mail too (see: host -t txt beta._domainkey.gmail.com) but also avoid full commitment in their policy (no policy => default policy). Any experience there? Mark
Re: SPF and SORBS problems
Benny Pedersen wrote: > i had the same problem once :-) > > see attached > > for rbl check the internal_networks and trusted_networks, spf test is disable > on internal networks, so make sure your smtp auth ip is not listed as internal > in your spamassassin, but it should still be in trusted_networks > > when this is done it works, atleast here :-) > Let me clarify, there is no "internal network" save the host itself. This is a machine by itself on the internet, with users connecting from various places all over the world. No ip address is trusted, except for the mailserver itself. The attached config had these two lines. envelope_sender_header Return-Path always_trust_envelope_sender 1 I tried them, and still have the exact same problem. Any other ideas? --James
Re: DNSing MX to 127.0.0.1: Ruleset (or something) for this?
On Tue, 15 Aug 2006, Guy Waugh wrote: |# Theo Van Dinter wrote: |# > On Tue, Aug 15, 2006 at 08:41:27AM +1000, Guy Waugh wrote: |# > |# > > Aug 15 05:01:35 mailserver sendmail[13287]: k7EJ1YE7013287: SYSERR(root): |# > > localhost.fabulous.com. config error: mail loops back to me (MX problem?) |# > > |# The above stuff appears in my logs when, for example, our MX receives |# spam for an unknown local user and tries to bounce the mail back to the |# sender. The sender domain's MX resolves to 127.0.0.1 (or similar), and |# the above occurs. I was thinking of a test whereby something on my MTA |# looks up the MX of every sender domain of every email, and if it |# resolves to localhost, the email is rejected (discarded/whatever) at |# that point. |# In Postfix one can do this simply with the following. # grep 127 mx-ns_cidr_access (file containing CIDR blocks) 127.0.0.0/8 REJECT Loopback Address 127.0.0.0/8 in main.cf (whatever restriction class you choose)... check_sender_mx_access cidr:mx-ns_cidr_access -- Tim Rosmus <[EMAIL PROTECTED]> Postmaster / USENET / DNS Northwest Nexus Inc. / NetOS Inc.
Re: DNSing MX to 127.0.0.1: Ruleset (or something) for this?
Ken A wrote: Don't accept mail for non-existent users. Your MTA should reject it. Yeah, we should. Not quite there yet. In spite of that, I thought it may be a good test to do anyway. Even if the mail is addressed to an existent user, if the MX for the sender domain is DNSed to the localhost address, there's no way (in my thinking) that it's a legitimate email, unless a clueless admin has accidentally DNSed the MX for their domain to be the localhost address. A mechanism that does what I propose would probably have a pretty short useful life anyway, I suppose - the arms race would move forward, such that spammers wouldn't DNS their MXes to the localhost address when such a test was prevalent in the community. -- G. That said, we get these too, though it's usually just an odd one now and then. They come in from some domain that sendmail on a gateway box can lookup in DNS, so it's accepted. Then there's an NDN generated for some reason Perhaps the user or alias was just deleted this very minute, or more likely, because the mail hub can't lookup the domain in DNS because it's got a different cached result than the gateway (this happens with newly registered throwaway spam domains). So, the mail hub bounces it back to the gateway and it tries to send it back to the domain who's MX is localhost.fabulous.com. We use MailScanner, so there's a ~3 sec delay between when the gateway accepts the mail and when it's delivered to the mail hub. Ken A. Pacific.Net Theo Van Dinter wrote: On Tue, Aug 15, 2006 at 08:41:27AM +1000, Guy Waugh wrote: Aug 15 05:01:35 mailserver sendmail[13287]: k7EJ1YE7013287: SYSERR(root): localhost.fabulous.com. config error: mail loops back to me (MX problem?) Do people actively combat this somehow? I guess it depends how it got into your system in the first place. If it's from some random outside machine sending you mail, why did the MTA accept it in the first place? Typically MTAs only accept mail for hosts/domains they consider "local" or for which they're configured to relay. If "localhost.fabulous.com" isn't one of those two, I'd find out why your MTA didn't just reject it.
Re: SPF and SORBS problems
On Tue, August 15, 2006 00:45, Xepher wrote: > Any help would be appreciated, as I'd really rather not disable SPF and > RBL completely. i had the same problem once :-) see attached for rbl check the internal_networks and trusted_networks, spf test is disable on internal networks, so make sure your smtp auth ip is not listed as internal in your spamassassin, but it should still be in trusted_networks when this is done it works, atleast here :-) -- Benny# # this one is from Mark # needed in sa 3.1.3 to make spf work !!! # mta is postfix with have default to # Return-Path for the envelope-sender # envelope_sender_header Return-Path always_trust_envelope_sender 1
Re: DNSing MX to 127.0.0.1: Ruleset (or something) for this?
Don't accept mail for non-existent users. Your MTA should reject it. That said, we get these too, though it's usually just an odd one now and then. They come in from some domain that sendmail on a gateway box can lookup in DNS, so it's accepted. Then there's an NDN generated for some reason Perhaps the user or alias was just deleted this very minute, or more likely, because the mail hub can't lookup the domain in DNS because it's got a different cached result than the gateway (this happens with newly registered throwaway spam domains). So, the mail hub bounces it back to the gateway and it tries to send it back to the domain who's MX is localhost.fabulous.com. We use MailScanner, so there's a ~3 sec delay between when the gateway accepts the mail and when it's delivered to the mail hub. Ken A. Pacific.Net Theo Van Dinter wrote: On Tue, Aug 15, 2006 at 08:41:27AM +1000, Guy Waugh wrote: Aug 15 05:01:35 mailserver sendmail[13287]: k7EJ1YE7013287: SYSERR(root): localhost.fabulous.com. config error: mail loops back to me (MX problem?) Do people actively combat this somehow? I guess it depends how it got into your system in the first place. If it's from some random outside machine sending you mail, why did the MTA accept it in the first place? Typically MTAs only accept mail for hosts/domains they consider "local" or for which they're configured to relay. If "localhost.fabulous.com" isn't one of those two, I'd find out why your MTA didn't just reject it.
Re: DNSing MX to 127.0.0.1: Ruleset (or something) for this?
Theo Van Dinter wrote: On Tue, Aug 15, 2006 at 08:41:27AM +1000, Guy Waugh wrote: Aug 15 05:01:35 mailserver sendmail[13287]: k7EJ1YE7013287: SYSERR(root): localhost.fabulous.com. config error: mail loops back to me (MX problem?) Do people actively combat this somehow? I guess it depends how it got into your system in the first place. If it's from some random outside machine sending you mail, why did the MTA accept it in the first place? Typically MTAs only accept mail for hosts/domains they consider "local" or for which they're configured to relay. If "localhost.fabulous.com" isn't one of those two, I'd find out why your MTA didn't just reject it. The machine in question is one of our MXes. It's running some RBLs (and clamav and SA), but a lot of spam still gets through (at least to clamav and SA). The above stuff appears in my logs when, for example, our MX receives spam for an unknown local user and tries to bounce the mail back to the sender. The sender domain's MX resolves to 127.0.0.1 (or similar), and the above occurs. I was thinking of a test whereby something on my MTA looks up the MX of every sender domain of every email, and if it resolves to localhost, the email is rejected (discarded/whatever) at that point.
Re: The arms race continues
decoder wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Michel Vaillancourt wrote:
Simon Standley wrote:
Hi Gang,
I've had the latest FuzzyOcr on test for the past day or so -
very nice work. Congrats to all involved.
Thought you may be interested in the attached GIF. It was only a
matter of time before something like this came along ...
Si.
<>
.
I've seen three of these this morning alone... and FuzzyOCR isn't
trapping them.
--Michel Wolfstar Systems
gocr features a nice parameter called -d. It is able to remove smaller
particles before scanning, compare these results:
Very interesting...
this time my gocr is better than yours.
Mine catches the text even better WITHOUT -d option. it gets a bit worse
(though not much) with -d 2...
# gocr -i forgiving26.gif
giftopnm: Reading Image Sequence 0
Visit RX{MUNGED}GOOD.COM
(don ' t LIILk _ust type In browser)
and SAVE 5_o,_o on your Phar{MUNGED}macy!.
VIA{MUNGED}GRA from $3,33
CIA{MUNGED}LIC_ from $3,75
VAL{MUNGED}IUM mom $l,21
_ave a nii_e da)/!,
--
Using SuSE 10.1's gocr-0.40
(sorry, i had to use {MUNGED} because the list server rejected my mail
otherwise.)
Matt
Re: DNSing MX to 127.0.0.1: Ruleset (or something) for this?
On Tue, Aug 15, 2006 at 08:41:27AM +1000, Guy Waugh wrote: > Aug 15 05:01:35 mailserver sendmail[13287]: k7EJ1YE7013287: > SYSERR(root): localhost.fabulous.com. config error: mail loops back to > me (MX problem?) > > Do people actively combat this somehow? I guess it depends how it got into your system in the first place. If it's from some random outside machine sending you mail, why did the MTA accept it in the first place? Typically MTAs only accept mail for hosts/domains they consider "local" or for which they're configured to relay. If "localhost.fabulous.com" isn't one of those two, I'd find out why your MTA didn't just reject it. -- Randomly Generated Tagline: "... as you go forth today ... or fifth, depending on your order in line ..." - From the movie "Toys" pgpf7qWxBeYVi.pgp Description: PGP signature
DNSing MX to 127.0.0.1: Ruleset (or something) for this?
Howdy, I've been noticing an increasing amount of messages like this in my sendmail log: Aug 15 05:01:35 mailserver sendmail[13287]: k7EJ1YE7013287: SYSERR(root): localhost.fabulous.com. config error: mail loops back to me (MX problem?) I couldn't back it up with statistics, but I'd swear there's an explosion of this kind of thing (DNSing a domain's MX to be '127.0.0.1' or similar) happening at the moment - noticing a lot of it in my logs, anyway. Do people actively combat this somehow? I was thinking it would be nice to have a mechanism whereby mail with an envelope domain whose MX was DNSed as localhost was rejected in the SMTP conversation (or perhaps discarded by SA during its checks). Thanks, Guy.
Re: Report
You are failing to understand my point. To me any message that has a .exe attachment is spam. That's just how I work because I'm on a Mac therefore I'd like to use check_microsoft_executable who's job it is to bump up the score if there's an executable attachment. The problem right now is that 1. this check is handled by the antivirus plugin. it probably shouldn't be as bumping the score because there's an attachment has nothing do to with anti-virus checking. 2. the check isn't thorough enough because it doesn't consider other content-types whereby people hide executable attachments. ... Therefore. I don't care whether SA is an anti-virus tool or not it's completely irrelevant to me. On Aug 14, 2006, at 4:41 PM, John D. Hardin wrote: On Mon, 14 Aug 2006 [EMAIL PROTECTED] wrote: So in summary... SPAM is not always the same for everybody. Sure it is. Spam (please don't capitalize the entire word - Hormel gets annoyed) is Unsolicited Bulk Email. In my case anything with .exe is SPAM because nobody will send me a .exe Calling a worm "spam" does not make it spam. If I'm being too much of a pedantic purist, just let me know... :) -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 -- - Windows and its users got mentioned at home today, after my wife the psych major brought up Seligman's theory of "learned helplessness." -- Dan Birchall in a.s.r -- -
SPF and SORBS problems
I've got a server configured with postfix and spamassassin. The mailserver is the only one for the domain, and thus receives mail from other servers, as well as letting users connect directly (with smtp auth) to send mail. Everything works fine, EXCEPT when users send email to each other. In those cases, the emails get tagged both by SPF_FAIL and RCVD_IN_SORBS_DUL as those tests see the email as coming from the user's personal IP address. I've tried whitelist_from_spf [EMAIL PROTECTED] in local.cf, but it doesn't work. Messages still get tagged with SPF_FAIL. I didn't see any similar option for the RBL stuff. Is there any way to do conditional tests, such that SMTP Auth messages get whitelisted? I don't know if there's a way in postfix to add a header only to auth connections? All I could find for postfix was address rewriting stuff, nothing about conditional situations like an authenticated user. Any help would be appreciated, as I'd really rather not disable SPF and RBL completely. Thanks, James
Re: Checking my own users mail
On Mon, 14 Aug 2006, Thomas Lindell wrote: Every now and again one of my bonehead customers get's a trojon that starts shooting out spam message like crazy. I usualy catch it withen a few hours but I am wondering if there's a way for me to scan messages my customers send and drop them or bounce them back if there detected as spam. What about enabling some sort of connection rate throttling (keyed by IP address) in your MTA? I believe sendmail has such a feature. Then, scan the log messages and alert the on-call person (you?) if some client machine starts connecting to send outgoing messages more than seems reasonable. If it's only every now and then, it might not be that bad to have to respond to it manually. You could check the logs to see if the traffic is really malicious (rather than someone using e-mail as an instant-messenger substitute), and if so, cut them off. Of course, this only works for certain classes of customers. If you're an ISP and your customers each have one desktop computer, it works great. If your customers have 100 users and their own mail server, it doesn't work as great... - Logan
Re: Report
On Mon, 14 Aug 2006 [EMAIL PROTECTED] wrote: > So in summary... > > SPAM is not always the same for everybody. Sure it is. Spam (please don't capitalize the entire word - Hormel gets annoyed) is Unsolicited Bulk Email. > In my case anything with .exe is SPAM because nobody will send me a .exe Calling a worm "spam" does not make it spam. If I'm being too much of a pedantic purist, just let me know... :) -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Windows and its users got mentioned at home today, after my wife the psych major brought up Seligman's theory of "learned helplessness." -- Dan Birchall in a.s.r ---
Re: Report
On Mon, 14 Aug 2006 [EMAIL PROTECTED] wrote: > I don't understand your point. Spamassassin is a tool to determine the spamminess of a message, not to check whether attachments to that message pose security risks. > I run a Mac. I don't care for _any_ .exes period. Fine. Your site email policy, then, is "no emails with executable attachments will be accepted". This is the default policy of the sanitizer. Take a look at the link. > therefore I'm loading the antivirus plugin in order to make use of > check_microsoft_executable rule. However that rule doesn't fire > if the attacker is disguising the .exe with a non sensical content type > primarily because the code currently assumes it wouldn't happen. That's a very heavyweight solution to "I don't want any .exes at all". > Q. Why do you keep talking about Spam Assassin not being an anti > virus tool... I never said it was I'm simply enabling the plugin > to get the rule to fire. I follow the UNIX philosophy: write a small tool that does one job and does it extremely well, and chain it with other similar tools. Adding antivirus and other security-related processing to SA dilutes its effectiveness and distracts the developers from making it the best anti-bulk-unsolicited-email tool around. I'd rather have SA be the best antispam tool available anywhere than a swiss army knife that does many things and none of them well. > Quoting "John D. Hardin" <[EMAIL PROTECTED]>: > > > SA is not an antivirus tool, and an attached executable is not spam, > > it is a security attack. > > > > If you're not willing to run a traditional virus scanner, may I > > suggest this as an alternative for attachment policy enforcement: > > > > http://www.impsec.org/email-tools/procmail-security.html -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Windows and its users got mentioned at home today, after my wife the psych major brought up Seligman's theory of "learned helplessness." -- Dan Birchall in a.s.r ---
Re: dreaming of a plugin ....
Bookworm writes: > [EMAIL PROTECTED] wrote: > > that analyzes and scores email addresses: > > > > we have big companies that give their employees more or less random strings > > as email addresses > > (but length will not be extremely long) > > Otherwise we have email addresses that somehow are built from a person's > > name, > > (e.g first.last, f.last, last17f or similar), and we have addresses that > > are a person's nick, or > > otherwise relate to its hobby or profession. In rare cases someone would > > make an email > > address from the name of some celebrity. > > Now something that seems to be typical for spam are display names that look > > like a person's > > name along with email addresses that look like a different person's name, > > and often seems > > to belong to a different language. > > The hypothhetical plugin would have to find out whether the mail addy looks > > like a name, > > whether the display name looks like a name as well, and only in that case > > determine whether > > the names have anything in common > > > > Wolfgang Hamann > > > Or simply a plugin that scans for more than three numeric characters in > the first portion of the email address. On one of the boards I host and > maintain, I frequently see things like [EMAIL PROTECTED] (yes, > plural). > > I get them in spams as well. The reason I said more than three is that > I know that with AOL and similar, you get stuff like [EMAIL PROTECTED] - > because of all the bobs. Of course, you could simply tell it to ignore > @aol/hotmail/excite - the major boards that do this. > > If nothing else, it'd be a nice test to increase the probability of spam. we used to have rules to match these -- not sure if they're still about -- check in 20_head_tests.cf. --j.
Re: dreaming of a plugin ....
From: "Bookworm" <[EMAIL PROTECTED]>
[EMAIL PROTECTED] wrote:
that analyzes and scores email addresses:
we have big companies that give their employees more or less random strings as email
addresses
(but length will not be extremely long)
Otherwise we have email addresses that somehow are built from a person's name,
(e.g first.last, f.last, last17f or similar), and we have addresses that are a person's
nick, or
otherwise relate to its hobby or profession. In rare cases someone would make
an email
address from the name of some celebrity.
Now something that seems to be typical for spam are display names that look like a
person's
name along with email addresses that look like a different person's name, and often
seems
to belong to a different language.
The hypothhetical plugin would have to find out whether the mail addy looks like a
name,
whether the display name looks like a name as well, and only in that case determine
whether
the names have anything in common
Wolfgang Hamann
Or simply a plugin that scans for more than three numeric characters in the first
portion of the email address. On one of the boards I host and maintain, I frequently
see things like [EMAIL PROTECTED] (yes, plural).
I'd believe that of Mauritius. All you need to do is scan that one for
the hotmail spelling error.
I get them in spams as well. The reason I said more than three is that I know that with
AOL and similar, you get stuff like [EMAIL PROTECTED] - because of all the bobs. Of
course, you could simply tell it to ignore @aol/hotmail/excite - the major boards that
do this.
If it says aol and it's not from an aol server it's blacklisted if you
have done your homework, visited SARE, and so forth.
{^_^}
Re: Checking my own users mail
If my mail server must address it then I am off to check some man pages I really just needed a place to start Yes. At a guess you may want to set up two different SA configurations, although you can probably do it wit a single one, somehow. You would somehow in your server chain route outgoing through one of the SA instances while incoming is going through the other one. Then you can catch the outgoing stuff easy enough and do whatever you want with it. Loren
Re: dreaming of a plugin ....
[EMAIL PROTECTED] wrote: that analyzes and scores email addresses: we have big companies that give their employees more or less random strings as email addresses (but length will not be extremely long) Otherwise we have email addresses that somehow are built from a person's name, (e.g first.last, f.last, last17f or similar), and we have addresses that are a person's nick, or otherwise relate to its hobby or profession. In rare cases someone would make an email address from the name of some celebrity. Now something that seems to be typical for spam are display names that look like a person's name along with email addresses that look like a different person's name, and often seems to belong to a different language. The hypothhetical plugin would have to find out whether the mail addy looks like a name, whether the display name looks like a name as well, and only in that case determine whether the names have anything in common Wolfgang Hamann Or simply a plugin that scans for more than three numeric characters in the first portion of the email address. On one of the boards I host and maintain, I frequently see things like [EMAIL PROTECTED] (yes, plural). I get them in spams as well. The reason I said more than three is that I know that with AOL and similar, you get stuff like [EMAIL PROTECTED] - because of all the bobs. Of course, you could simply tell it to ignore @aol/hotmail/excite - the major boards that do this. If nothing else, it'd be a nice test to increase the probability of spam. BW
RE: Checking my own users mail
I appreciate where your going with this I just didn't know how to approach it. If my mail server must address it then I am off to check some man pages I really just needed a place to start Thanks Tom -Original Message- From: Evan Platt [mailto:[EMAIL PROTECTED] Sent: Monday, August 14, 2006 2:36 PM To: users@spamassassin.apache.org Subject: RE: Checking my own users mail At 12:36 PM 8/14/2006, you wrote: >They are generaly a clone of each other just substituting the send to >address. > >Usualy there the typical viagra or stock scam. > >If they where incoming my SA would catch em and mark em but as there >not being processed by sa they don't even get marked. That's a function of your mail server. You likely can configure your mail server to check outgoing mail too. >Worse yet is even if sa marks em they still go out only with the SA >header on them kindly notifying the recipient that this indeed is spam. That is also a function of your system. With the right implementation, you can have your mail server delete any messages marked as spam, incoming or outgoing. However I would never reccomend this. If you do, however, be prepared for a call from a customer of "How come I've sent this e-mail 20 times to my customer yet he never recieved it?" >Nifty huh SA never advertised it would delete mail. That's up to you to do.
dreaming of a plugin ....
that analyzes and scores email addresses: we have big companies that give their employees more or less random strings as email addresses (but length will not be extremely long) Otherwise we have email addresses that somehow are built from a person's name, (e.g first.last, f.last, last17f or similar), and we have addresses that are a person's nick, or otherwise relate to its hobby or profession. In rare cases someone would make an email address from the name of some celebrity. Now something that seems to be typical for spam are display names that look like a person's name along with email addresses that look like a different person's name, and often seems to belong to a different language. The hypothhetical plugin would have to find out whether the mail addy looks like a name, whether the display name looks like a name as well, and only in that case determine whether the names have anything in common Wolfgang Hamann
RE: Checking my own users mail
> Usually they're the typical viagra or stock scam. Text or image spam? If text, do they include a URL that might be caught by SURBL or URIBL? Rob McEwen PowerView Systems [EMAIL PROTECTED]
RE: Checking my own users mail
At 12:36 PM 8/14/2006, you wrote: They are generaly a clone of each other just substituting the send to address. Usualy there the typical viagra or stock scam. If they where incoming my SA would catch em and mark em but as there not being processed by sa they don't even get marked. That's a function of your mail server. You likely can configure your mail server to check outgoing mail too. Worse yet is even if sa marks em they still go out only with the SA header on them kindly notifying the recipient that this indeed is spam. That is also a function of your system. With the right implementation, you can have your mail server delete any messages marked as spam, incoming or outgoing. However I would never reccomend this. If you do, however, be prepared for a call from a customer of "How come I've sent this e-mail 20 times to my customer yet he never recieved it?" Nifty huh SA never advertised it would delete mail. That's up to you to do.
Re: bayes not run on some mail
From: "Beast" <[EMAIL PROTECTED]>
Nigel Frankcom wrote:
I will turn on auto leaarn mostly because I need to feed more HAM to SA
(so far I only feed ham for any false positive which is very low daily
and i think that is not good enough for SA)
If it is well trained then Bayes should be hitting. It may be that
SA cannot get to the Bayes database due to privileges.
(I manually train here. I distrust automatic training.)
{^_^}
I agree with not autotraining, imo it's a damned good way to get your
bayes poisoned. With beast's error I got the impression only _some_
mails were being missed which would imply either a file lock issue or
not enough child processes?
I also agree with your point, however I need to feed more HAM (not spam)
message, which is not easy to obtain, unless we dump all users mail to
one mailbox.
For bayes file locking problem, I'm not quite sure because not complaint
in log:
Aug 13 22:11:01 blowfish spampd[9828]: clean message
<[EMAIL PROTECTED]> (1.67/5.20) from
<[EMAIL PROTECTED]> for <[EMAIL PROTECTED]> in 0.33s, 2587 bytes.
Yesterday, i was received 5 FN mails which are not have scanned by
bayes (low score), this for postmaster only, i'm not sure if its
applicable to other address also.
As postmaster you can probably setup a spamtrap account with a very
easily guessed name. Perhaps pick one out of the list of
that gets rejected as user unknown. Then watch it for a few days.
{^_^}
RE: The arms race continues
My fault for being lazy I guess ... The build from source did the trick. Thanks. -Original Message- From: decoder [mailto:[EMAIL PROTECTED] Sent: 14 August 2006 20:03 To: users@spamassassin.apache.org Subject: Re: The arms race continues -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Simon Standley wrote: > Hey - cool! > > ... but my gocr doesn't have that option :( > > Which version do you have, and where did you get it from? I am using version 0.40-r2. This is probably the newest available. Since I'm using gentoo I always have the newest versions ready here. You probably need to build it from source to use this :) Chris > > Thanx > > Si. > > -Original Message- From: decoder > [mailto:[EMAIL PROTECTED] Sent: 14 August 2006 19:47 To: > users@spamassassin.apache.org Subject: Re: The arms race continues > > > Michel Vaillancourt wrote: >>> Simon Standley wrote: Hi Gang, I've had the latest FuzzyOcr on test for the past day or so - very nice work. Congrats to all involved. Thought you may be interested in the attached GIF. It was only a matter of time before something like this came along ... Si. <> . >>> I've seen three of these this morning alone... and FuzzyOCR >>> isn't trapping them. >>> >>> --Michel Wolfstar Systems >>> > > gocr features a nice parameter called -d. It is able to remove > smaller particles before scanning, compare these results: > > > Original: > > [EMAIL PROTECTED] ~/Uni/SysOP-Paul/spamassassin $ gocr -i > forgiving26.gif ' ''v''ìgt _' 'CÒ'O'' '0' > '':CO'.M.'''_.'..'_'__'_i.'''._'' _.'''.''.'.'...'.','_ ;'_ _'. > 1don '.. t. 'cn.c'k. _. s._. t'y,_' e. m'.' bro. 'w_'er).''. _ .'_ > '.'.ì. .,. _ ._. _. ä'nìd.'SA'.. V..'E... .j.Oq.'o.. > .'.òn,'.m.. ù. ì.'m''. ._ìm. .'.'_i.._'_'' !..'. ' '.''VI'A'' i_' ' > À ììàm'' ._.$' '3' _,''3 ''3 ' '_ ' _' i_ .' :ì.'ì ';.'. ì > CIAL_I_' fr.om ..$3, 75 _' _. ' ' __ ..' .' ' _. '_. _.. K. ._. > .'_.ì'UM' ' _ m..Q.m. '._.$. 1 ;2.. .'.ì ..'.._. _. ._._.' '..'... > _..'..'.. ' .ì '.. M.. .i'a.v...e.'.g...''m.iì''e.'. > .d..a.._.'...'!,.',.'_ ;_'.'.'.. .'._... ,'_..',i_.'_.'. ' > .','...i..'..'_.'.ì'.'..'...'_.'.''._ ''.'.._ > > > With -d 2: > > [EMAIL PROTECTED] ~/spamassassin $ gocr -d 2 -i forgiving26.gif t v:gt > _CO00.COM ,_ 1don t cnck_s_ty,_e m' brow_'er) , _ ànd.SAVE > 50q.o.o. n mur marm_cy!. VIAGRA fram $3' ,33 _ CIALI_ from > $3,75 K__ì_ mQm'_$l,2l Mav,e g nIce da_'I. , > > > > The second one surely gets detected because it contains at least > two words recognized (viagra and cialis). In the next version I > will put -d 2 as the default and make the parameter configurable > via the cf file. Until that, simply put -d 2 into the gocr > arguments. > > This works for this one sample, but there are plenty of other > methods to avoid OCR. > > If you get more mails like that with different methods of > obfuscation, please tell me. > > > > Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE4MjuJQIKXnJyDxURAmRbAKDFxz1PvrRHDcQf4QKHk5iQov6GnwCeI4N9 19ZvMRO4qWoYYJtSwXliB/k= =WMQ0 -END PGP SIGNATURE-
RE: Checking my own users mail
They are generaly a clone of each other just substituting the send to address. Usualy there the typical viagra or stock scam. If they where incoming my SA would catch em and mark em but as there not being processed by sa they don't even get marked. Worse yet is even if sa marks em they still go out only with the SA header on them kindly notifying the recipient that this indeed is spam. Nifty huh -Original Message- From: Rob McEwen (PowerView Systems) [mailto:[EMAIL PROTECTED] Sent: Monday, August 14, 2006 2:23 PM To: users@spamassassin.apache.org Subject: RE: Checking my own users mail Tom said: > I do however if they get a Msoutlook trojan that can use outlook to > forward the spam it get's right on through What a nightmare. I've been aware of this possibility, but I didn't think it happened that often. Are there any particular characteristics of the outgoing spam and/or viruses? I'd bet that these types of trojans which use existing outlook accounts and send mail through outlook probably tend to fall within a narrow range as far as the actual spam or virus messages that are sent. Do you see a pattern with these? What I'm thinking is that if these fall within a narrow range, then that might make it more wise to scan outbound mail.. but to do so using a limited range of types of scanning to minimize resources... targetting just the types of spams that are being sent by these types of trojans. Rob McEwen PowerView Systems [EMAIL PROTECTED] (478) 475-9032
Re: Rule for non-DK-signed mail from yahoo
On 8/14/2006 2:23 PM, Justin Mason wrote: Mark Martinec writes: Having received a couple of messages faking to be from yahoo, despite FORGED_YAHOO_RCVD and few other rules firing, the final score was not high enough. Since Yahoo! is signing their outgoing mail with DomainKeys, I came up with: header __L_FROM_YAHOOFrom:addr =~ /[EMAIL PROTECTED]/i meta UNVERIFIED_YAHOO __L_FROM_YAHOO && !DK_VERIFIED priority UNVERIFIED_YAHOO 500 scoreUNVERIFIED_YAHOO 5.0 which seems to do its job. I had to experiment with priority - are there any guidelines fo this? Is this a way to go? - any obvious improvements? Personally I'd cut the score in half. Slow DNS could cause FPs -- I've seen it happen on mail from rogers.com which Y! runs. makes sense to me, although -- (a) Is "From:addr" rather than "EnvelopeFrom:addr" the right header to use? I'd say yes. DK signs the message, not the envelope. I'm pretty sure the current milters look for a From: header to decide on what selector/etc to use. Daryl
RE: Checking my own users mail
Tom said: > I do however if they get a Msoutlook trojan that can use outlook to forward > the spam it get's right on through What a nightmare. I've been aware of this possibility, but I didn't think it happened that often. Are there any particular characteristics of the outgoing spam and/or viruses? I'd bet that these types of trojans which use existing outlook accounts and send mail through outlook probably tend to fall within a narrow range as far as the actual spam or virus messages that are sent. Do you see a pattern with these? What I'm thinking is that if these fall within a narrow range, then that might make it more wise to scan outbound mail.. but to do so using a limited range of types of scanning to minimize resources... targetting just the types of spams that are being sent by these types of trojans. Rob McEwen PowerView Systems [EMAIL PROTECTED] (478) 475-9032
Re: Report
On Mon, Aug 14, 2006 at 01:59:59PM -0500, [EMAIL PROTECTED] wrote: > therefore I'm loading the antivirus plugin in order to make use of > check_microsoft_executable rule. However that rule doesn't fire > if the attacker is disguising the .exe with a non sensical content type > primarily because the code currently assumes it wouldn't happen. Yes, that does get skipped by MICROSOFT_EXECUTABLE, which looks for only an application or text part as documented in the plugin. Feel free to open a bugzilla ticket and include a sample message (attached to the ticket, not cut/paste), though I'm not sure what our plans are for the AntiVirus plugin (split off as extra, etc?) so the ticket may or may not get addressed in the near future. -- Randomly Generated Tagline: "I don't like rap because I'm stuffy and british." - James Burke pgpSkiLYzJxAt.pgp Description: PGP signature
RE: Checking my own users mail
I do have amavis running the problem is identifiying the message Idealy I guess I would like it to pop up an error in outlook like it does when they try to send a file attachment that's to large. I suppose I could implement some sort of rate limiting but that's just irritating I am trying to stay out of there way as much as possible and yet still protect the internet from spam generated by the odd customer. Tom -Original Message- From: Evan Platt [mailto:[EMAIL PROTECTED] Sent: Monday, August 14, 2006 2:00 PM To: users@spamassassin.apache.org Subject: Re: Checking my own users mail At 12:00 PM 8/14/2006, you wrote: >Every now and again one of my bonehead customers get's a trojon that >starts shooting out spam message like crazy. I usualy catch it withen >a few hours but I am wondering if there's a way for me to scan messages >my customers send and drop them or bounce them back if there detected as spam. There probably is. Not with spamassassin though. SpamAssassin cannot drop or reject mail. But depending on how you call SpamAssassin, ie procmail, you may be able to do something. But keep in mind, a trojan sending out 1000 messages an hour may not classify as SPAM. A better option may be something on your mail server, or a anti-virus program on your mail server.
Re: Checking my own users mail
Thomas Lindell wrote: > Every now and again one of my bonehead customers get's a trojon that starts > shooting out spam message like crazy. I usualy catch it withen a few hours > but I am wondering if there's a way for me to scan messages my customers > send and drop them or bounce them back if there detected as spam. > > > Thanks > > Tom Short answer .. If they are using your SMTP - yes If they aren't .. -- Mr Michele Neylon Blacknight Solutions Quality Business Hosting & Colocation http://www.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 59 9164239
RE: Checking my own users mail
I do however if they get a Msoutlook trojon that can use outlook to forward the spam it get's right on through -Original Message- From: Rob McEwen (PowerView Systems) [mailto:[EMAIL PROTECTED] Sent: Monday, August 14, 2006 1:59 PM To: Thomas Lindell; users@spamassassin.apache.org Subject: Re: Checking my own users mail Tom Lindell asked: > Every now and again one of my bonehead customers get's a trojon that > starts shooting out spam message like crazy. I usualy catch it withen > a few hours but I am wondering if there's a way for me to scan > messages my customers send and drop them or bounce them back if there detected as spam. Tom, Don't you require password authentication as a prerequisite for users being allowed to relay message through your server? (and I'm always wondering if this is enough protection from trojans?) Rob McEwen PowerView Systems [EMAIL PROTECTED]
Re: The arms race continues
On Aug 14, 2006, at 12:01 PM, decoder wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Theo Van Dinter wrote: On Mon, Aug 14, 2006 at 08:46:51PM +0200, decoder wrote: gocr features a nice parameter called -d. It is able to remove smaller particles before scanning, compare these results: So my problem with the OCR idea is that it inevitably gets to the point where we'd need to programatically solve the same graphics as used in CAPTCHAs, and then I don't think we're really focused on addressing the core issue any longer. It's mostly the same way in non-graphic spams -- catching the text may or may not be difficult with all the obfuscation and such that goes on. However, catching the fact that there's obfuscation is a good indication of spam. Just a thought. You are absolutely right, this COULD get to a point where it gets really pointless to scan for text in an image. But for an image it is even harder to detect an obfuscation, than with text. For text, I had the idea earlier to utilize a method to detect obfuscations with approximate matching and then scoring the obfuscation itself and not the content. But this can lead easily to false positives, so one must pay attention on what he puts on the wordlist. For images, this is even harder, how would one try to recognize an attempt to mislead OCR? Exactly: how do you know if the OCR software didn't find text because it wasn't there, or because it was sufficiently obfuscated? I don't mind an arms race for this area of spam fighting. It's a race the spammers will lose, because at some point the image will become so unclear as to be like a captcha system, at which point: who will be bothering to try to read the image? In essence, when it comes to this little part of the spam arms race, we are the plains indians and they are the buffalo. All we have to do is keep herding them toward the cliff of "images so obfuscated as to be unreadable by humans". Their only way out of this particular race is to just stop. It's a lose-lose proposition for them.
Re: Report
So in summary... SPAM is not always the same for everybody. In my case anything with .exe is SPAM because nobody will send me a .exe So I want the ability to make use of SA's configurability to learn what is SPAM for me. I don't call that a virus checker. This message was sent using IMP, the Internet Messaging Program.
Re: Report
I really don't understand why you bring this up. I do not want SA to check the .exe. I just want the rule to fire so that it goes over my SPAM threshold when an .exe is attached. right now the rule does not fire unless the attachment had a correspondily correct content-type. In my case it does not because the spammer has disguised it. I will never run an .exe on my mac so I just want the mail to be treated as SPAM when it has a .exe attachment not only when it has an .exe attachment with the correct content type. Quoting "John D. Hardin" <[EMAIL PROTECTED]>: > On Mon, 14 Aug 2006, Robert Nicholson wrote: > > > Any plans to change this? It's obviously an area where the spammer > > has found a way to work around the rule. > > SA is not an antivirus tool, and an attached executable is not spam, > it is a security attack. > > If you're not willing to run a traditional virus scanner, may I > suggest this as an alternative for attachment policy enforcement: > > http://www.impsec.org/email-tools/procmail-security.html > > -- > John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ > [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] > key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 > --- > Windows and its users got mentioned at home today, after my wife the > psych major brought up Seligman's theory of "learned helplessness." > -- Dan Birchall in a.s.r > --- > > This message was sent using IMP, the Internet Messaging Program.
Re: The arms race continues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Simon Standley wrote: > Hey - cool! > > ... but my gocr doesn't have that option :( > > Which version do you have, and where did you get it from? I am using version 0.40-r2. This is probably the newest available. Since I'm using gentoo I always have the newest versions ready here. You probably need to build it from source to use this :) Chris > > Thanx > > Si. > > -Original Message- From: decoder > [mailto:[EMAIL PROTECTED] Sent: 14 August 2006 19:47 To: > users@spamassassin.apache.org Subject: Re: The arms race continues > > > Michel Vaillancourt wrote: >>> Simon Standley wrote: Hi Gang, I've had the latest FuzzyOcr on test for the past day or so - very nice work. Congrats to all involved. Thought you may be interested in the attached GIF. It was only a matter of time before something like this came along ... Si. <> . >>> I've seen three of these this morning alone... and FuzzyOCR >>> isn't trapping them. >>> >>> --Michel Wolfstar Systems >>> > > gocr features a nice parameter called -d. It is able to remove > smaller particles before scanning, compare these results: > > > Original: > > [EMAIL PROTECTED] ~/Uni/SysOP-Paul/spamassassin $ gocr -i > forgiving26.gif ' ''v''ìgt _' 'CÒ'O'' '0' > '':CO'.M.'''_.'..'_'__'_i.'''._'' _.'''.''.'.'...'.','_ ;'_ _'. > 1don '.. t. 'cn.c'k. _. s._. t'y,_' e. m'.' bro. 'w_'er).''. _ .'_ > '.'.ì. .,. _ ._. _. ä'nìd.'SA'.. V..'E... .j.Oq.'o.. > .'.òn,'.m.. ù. ì.'m''. ._ìm. .'.'_i.._'_'' !..'. ' '.''VI'A'' i_' ' > À ììàm'' ._.$' '3' _,''3 ''3 ' '_ ' _' i_ .' :ì.'ì ';.'. ì > CIAL_I_' fr.om ..$3, 75 _' _. ' ' __ ..' .' ' _. '_. _.. K. ._. > .'_.ì'UM' ' _ m..Q.m. '._.$. 1 ;2.. .'.ì ..'.._. _. ._._.' '..'... > _..'..'.. ' .ì '.. M.. .i'a.v...e.'.g...''m.iì''e.'. > .d..a.._.'...'!,.',.'_ ;_'.'.'.. .'._... ,'_..',i_.'_.'. ' > .','...i..'..'_.'.ì'.'..'...'_.'.''._ ''.'.._ > > > With -d 2: > > [EMAIL PROTECTED] ~/spamassassin $ gocr -d 2 -i forgiving26.gif t v:gt > _CO00.COM ,_ 1don t cnck_s_ty,_e m' brow_'er) , _ ànd.SAVE > 50q.o.o. n mur marm_cy!. VIAGRA fram $3' ,33 _ CIALI_ from > $3,75 K__ì_ mQm'_$l,2l Mav,e g nIce da_'I. , > > > > The second one surely gets detected because it contains at least > two words recognized (viagra and cialis). In the next version I > will put -d 2 as the default and make the parameter configurable > via the cf file. Until that, simply put -d 2 into the gocr > arguments. > > This works for this one sample, but there are plenty of other > methods to avoid OCR. > > If you get more mails like that with different methods of > obfuscation, please tell me. > > > > Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE4MjuJQIKXnJyDxURAmRbAKDFxz1PvrRHDcQf4QKHk5iQov6GnwCeI4N9 19ZvMRO4qWoYYJtSwXliB/k= =WMQ0 -END PGP SIGNATURE-
Re: The arms race continues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Theo Van Dinter wrote: > On Mon, Aug 14, 2006 at 08:46:51PM +0200, decoder wrote: >> gocr features a nice parameter called -d. It is able to remove >> smaller particles before scanning, compare these results: > > So my problem with the OCR idea is that it inevitably gets to the > point where we'd need to programatically solve the same graphics as > used in CAPTCHAs, and then I don't think we're really focused on > addressing the core issue any longer. > > It's mostly the same way in non-graphic spams -- catching the text > may or may not be difficult with all the obfuscation and such that > goes on. However, catching the fact that there's obfuscation is a > good indication of spam. > > Just a thought. > You are absolutely right, this COULD get to a point where it gets really pointless to scan for text in an image. But for an image it is even harder to detect an obfuscation, than with text. For text, I had the idea earlier to utilize a method to detect obfuscations with approximate matching and then scoring the obfuscation itself and not the content. But this can lead easily to false positives, so one must pay attention on what he puts on the wordlist. For images, this is even harder, how would one try to recognize an attempt to mislead OCR? Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE4Mh0JQIKXnJyDxURAgHTAJ9gL6EoSaWpcFjBWJVwg6zk+MJoIgCgomov HWbHnKbbJovLuXwRtOhf2kc= =vez+ -END PGP SIGNATURE-
Re: Report
I don't understand your point. I run a Mac. I don't care for _any_ .exes period. therefore I'm loading the antivirus plugin in order to make use of check_microsoft_executable rule. However that rule doesn't fire if the attacker is disguising the .exe with a non sensical content type primarily because the code currently assumes it wouldn't happen. Q. Why do you keep talking about Spam Assassin not being an anti virus tool... I never said it was I'm simply enabling the plugin to get the rule to fire. Quoting "John D. Hardin" <[EMAIL PROTECTED]>: > On Mon, 14 Aug 2006, Robert Nicholson wrote: > > > Any plans to change this? It's obviously an area where the spammer > > has found a way to work around the rule. > > SA is not an antivirus tool, and an attached executable is not spam, > it is a security attack. > > If you're not willing to run a traditional virus scanner, may I > suggest this as an alternative for attachment policy enforcement: > > http://www.impsec.org/email-tools/procmail-security.html > > -- > John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ > [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] > key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 > --- > Windows and its users got mentioned at home today, after my wife the > psych major brought up Seligman's theory of "learned helplessness." > -- Dan Birchall in a.s.r > --- > > This message was sent using IMP, the Internet Messaging Program.
Re: Checking my own users mail
At 12:00 PM 8/14/2006, you wrote: Every now and again one of my bonehead customers get's a trojon that starts shooting out spam message like crazy. I usualy catch it withen a few hours but I am wondering if there's a way for me to scan messages my customers send and drop them or bounce them back if there detected as spam. There probably is. Not with spamassassin though. SpamAssassin cannot drop or reject mail. But depending on how you call SpamAssassin, ie procmail, you may be able to do something. But keep in mind, a trojan sending out 1000 messages an hour may not classify as SPAM. A better option may be something on your mail server, or a anti-virus program on your mail server.
Re: Checking my own users mail
Tom Lindell asked: > Every now and again one of my bonehead customers get's a trojon that starts > shooting out spam message like crazy. I usualy catch it withen a few hours > but I am wondering if there's a way for me to scan messages my customers > send and drop them or bounce them back if there detected as spam. Tom, Don't you require password authentication as a prerequisite for users being allowed to relay message through your server? (and I'm always wondering if this is enough protection from trojans?) Rob McEwen PowerView Systems [EMAIL PROTECTED]
RE: The arms race continues
Hey - cool! ... but my gocr doesn't have that option :( Which version do you have, and where did you get it from? Thanx Si. -Original Message- From: decoder [mailto:[EMAIL PROTECTED] Sent: 14 August 2006 19:47 To: users@spamassassin.apache.org Subject: Re: The arms race continues -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michel Vaillancourt wrote: > Simon Standley wrote: >> Hi Gang, >> >> I've had the latest FuzzyOcr on test for the past day or so - >> very nice work. Congrats to all involved. >> >> Thought you may be interested in the attached GIF. It was only a >> matter of time before something like this came along ... >> >> Si. >> >> <> >> >> . > I've seen three of these this morning alone... and FuzzyOCR isn't > trapping them. > > --Michel Wolfstar Systems > gocr features a nice parameter called -d. It is able to remove smaller particles before scanning, compare these results: Original: [EMAIL PROTECTED] ~/Uni/SysOP-Paul/spamassassin $ gocr -i forgiving26.gif ' ''v''ìgt _' 'CÒ'O'' '0' '':CO'.M.'''_.'..'_'__'_i.'''._'' _.'''.''.'.'...'.','_ ;'_ _'. 1don '.. t. 'cn.c'k. _. s._. t'y,_' e. m'.' bro. 'w_'er).''. _ .'_ '.'.ì. .,. _ ._. _. ä'nìd.'SA'.. V..'E... .j.Oq.'o.. .'.òn,'.m.. ù. ì.'m''. ._ìm. .'.'_i.._'_'' !..'. ' '.''VI'A'' i_' ' À ììàm'' ._.$' '3' _,''3 ''3 ' '_ ' _' i_ .' :ì.'ì ';.'. ì CIAL_I_' fr.om ..$3, 75 _' _. ' ' __ ..' .' ' _. '_. _.. K. ._. .'_.ì'UM' ' _ m..Q.m. '._.$. 1 ;2.. .'.ì ..'.._. _. ._._.' '..'... _..'..'.. ' .ì '.. M.. .i'a.v...e.'.g...''m.iì''e.'. .d..a.._.'...'!,.',.'_ ;_'.'.'.. .'._... ,'_..',i_.'_.'. ' .','...i..'..'_.'.ì'.'..'...'_.'.''._ ''.'.._ With -d 2: [EMAIL PROTECTED] ~/spamassassin $ gocr -d 2 -i forgiving26.gif t v:gt _CO00.COM ,_ 1don t cnck_s_ty,_e m' brow_'er) , _ ànd.SAVE 50q.o.o. n mur marm_cy!. VIAGRA fram $3' ,33 _ CIALI_ from $3,75 K__ì_ mQm'_$l,2l Mav,e g nIce da_'I. , The second one surely gets detected because it contains at least two words recognized (viagra and cialis). In the next version I will put - -d 2 as the default and make the parameter configurable via the cf file. Until that, simply put -d 2 into the gocr arguments. This works for this one sample, but there are plenty of other methods to avoid OCR. If you get more mails like that with different methods of obfuscation, please tell me. Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE4MUaJQIKXnJyDxURAuLiAJ40Hqd3/X1xbcsXc6xFrhOTUfkjYgCghcGl l7p7ZgIfjcHbJclBoL2LT04= =y9sq -END PGP SIGNATURE-
Checking my own users mail
Every now and again one of my bonehead customers get's a trojon that starts shooting out spam message like crazy. I usualy catch it withen a few hours but I am wondering if there's a way for me to scan messages my customers send and drop them or bounce them back if there detected as spam. Thanks Tom
Re: The arms race continues
On Mon, Aug 14, 2006 at 08:46:51PM +0200, decoder wrote: > gocr features a nice parameter called -d. It is able to remove smaller > particles before scanning, compare these results: So my problem with the OCR idea is that it inevitably gets to the point where we'd need to programatically solve the same graphics as used in CAPTCHAs, and then I don't think we're really focused on addressing the core issue any longer. It's mostly the same way in non-graphic spams -- catching the text may or may not be difficult with all the obfuscation and such that goes on. However, catching the fact that there's obfuscation is a good indication of spam. Just a thought. -- Randomly Generated Tagline: Capital Punishment means never having to say "YOU AGAIN?" pgpyuM6dGsOBc.pgp Description: PGP signature
Re: The arms race continues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michel Vaillancourt wrote: > Simon Standley wrote: >> Hi Gang, >> >> I've had the latest FuzzyOcr on test for the past day or so - >> very nice work. Congrats to all involved. >> >> Thought you may be interested in the attached GIF. It was only a >> matter of time before something like this came along ... >> >> Si. >> >> <> >> >> . > I've seen three of these this morning alone... and FuzzyOCR isn't > trapping them. > > --Michel Wolfstar Systems > gocr features a nice parameter called -d. It is able to remove smaller particles before scanning, compare these results: Original: [EMAIL PROTECTED] ~/Uni/SysOP-Paul/spamassassin $ gocr -i forgiving26.gif ' ''v''ìgt _' 'CÒ'O'' '0' '':CO'.M.'''_.'..'_'__'_i.'''._'' _.'''.''.'.'...'.','_ ;'_ _'. 1don '.. t. 'cn.c'k. _. s._. t'y,_' e. m'.' bro. 'w_'er).''. _ .'_ '.'.ì. .,. _ ._. _. ä'nìd.'SA'.. V..'E... .j.Oq.'o.. .'.òn,'.m.. ù. ì.'m''. ._ìm. .'.'_i.._'_'' !..'. ' '.''VI'A'' i_' ' À ììàm'' ._.$' '3' _,''3 ''3 ' '_ ' _' i_ .' :ì.'ì ';.'. ì CIAL_I_' fr.om ..$3, 75 _' _. ' ' __ ..' .' ' _. '_. _.. K. ._. .'_.ì'UM' ' _ m..Q.m. '._.$. 1 ;2.. .'.ì ..'.._. _. ._._.' '..'... _..'..'.. ' .ì '.. M.. .i'a.v...e.'.g...''m.iì''e.'. .d..a.._.'...'!,.',.'_ ;_'.'.'.. .'._... ,'_..',i_.'_.'. ' .','...i..'..'_.'.ì'.'..'...'_.'.''._ ''.'.._ With -d 2: [EMAIL PROTECTED] ~/spamassassin $ gocr -d 2 -i forgiving26.gif t v:gt _CO00.COM ,_ 1don t cnck_s_ty,_e m' brow_'er) , _ ànd.SAVE 50q.o.o. n mur marm_cy!. VIAGRA fram $3' ,33 _ CIALI_ from $3,75 K__ì_ mQm'_$l,2l Mav,e g nIce da_'I. , The second one surely gets detected because it contains at least two words recognized (viagra and cialis). In the next version I will put - -d 2 as the default and make the parameter configurable via the cf file. Until that, simply put -d 2 into the gocr arguments. This works for this one sample, but there are plenty of other methods to avoid OCR. If you get more mails like that with different methods of obfuscation, please tell me. Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE4MUaJQIKXnJyDxURAuLiAJ40Hqd3/X1xbcsXc6xFrhOTUfkjYgCghcGl l7p7ZgIfjcHbJclBoL2LT04= =y9sq -END PGP SIGNATURE-
Re: Rule for non-DK-signed mail from yahoo
Mark Martinec writes: > Having received a couple of messages faking to be from yahoo, > despite FORGED_YAHOO_RCVD and few other rules firing, the final > score was not high enough. Since Yahoo! is signing their > outgoing mail with DomainKeys, I came up with: > > header __L_FROM_YAHOOFrom:addr =~ /[EMAIL PROTECTED]/i > meta UNVERIFIED_YAHOO __L_FROM_YAHOO && !DK_VERIFIED > priority UNVERIFIED_YAHOO 500 > scoreUNVERIFIED_YAHOO 5.0 > > which seems to do its job. > > I had to experiment with priority - are there any guidelines fo this? > Is this a way to go? - any obvious improvements? makes sense to me, although -- (a) Is "From:addr" rather than "EnvelopeFrom:addr" the right header to use? (b) are Y! signing all mail? I would have assumed some systems are not yet using DK. In 3.1.x, you have to set priority manually, unfortunately, to be higher than both of the subrules. in 3.2.x, it'll do that automatically for you. --j.
Re: The arms race continues
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michel Vaillancourt wrote: > Simon Standley wrote: >> Hi Gang, >> >> I've had the latest FuzzyOcr on test for the past day or so - very nice work. Congrats to all involved. >> >> Thought you may be interested in the attached GIF. It was only a matter of time before something like this came along ... >> >> Si. >> >> <> >> >> . > I've seen three of these this morning alone... and FuzzyOCR isn't trapping them. > > --Michel > Wolfstar Systems > I will have a look at it and if possible, adjust FuzzyOcr to catch those as well. It will always be an endless fight I guess... but surrendering is no option ;) Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFE4L+yJQIKXnJyDxURAvMXAKDEJDn2KSJJu/FydBk/GrOG7awgXwCdG7ja yNTFcMR0CqQXOj2VhRdftzw= =Mppp -END PGP SIGNATURE-
Re: The arms race continues
Simon Standley wrote: > Hi Gang, > > I've had the latest FuzzyOcr on test for the past day or so - very nice work. > Congrats to all involved. > > Thought you may be interested in the attached GIF. It was only a matter of > time before something like this came along ... > > Si. > > <> > > . I've seen three of these this morning alone... and FuzzyOCR isn't trapping them. --Michel Wolfstar Systems
The arms race continues
Hi Gang, I've had the latest FuzzyOcr on test for the past day or so - very nice work. Congrats to all involved. Thought you may be interested in the attached GIF. It was only a matter of time before something like this came along ... Si. <> . forgiving26.gif Description: forgiving26.gif
Rule for non-DK-signed mail from yahoo
Having received a couple of messages faking to be from yahoo, despite FORGED_YAHOO_RCVD and few other rules firing, the final score was not high enough. Since Yahoo! is signing their outgoing mail with DomainKeys, I came up with: header __L_FROM_YAHOOFrom:addr =~ /[EMAIL PROTECTED]/i meta UNVERIFIED_YAHOO __L_FROM_YAHOO && !DK_VERIFIED priority UNVERIFIED_YAHOO 500 scoreUNVERIFIED_YAHOO 5.0 which seems to do its job. I had to experiment with priority - are there any guidelines fo this? Is this a way to go? - any obvious improvements? Mark
Re: Using SA to prevent bouncing spam?
> Hi, in order to avoid bouncing spam back to the (almost certainly) faked > sender-addresses, I thought I could use SA directly: What's your MTA and/or SA-invoking app? Surely it is easier to have that agent parse SA's feedback (headers, subject mod or score) in deciding the final disposition of the msg than to try to trick the MTA into dumping the mail. Please elaborate on the use case in which you can't use MTA processing rules to prevent backscatter, given that you trust SA markup completely here, right? --Sandy
Re: statistic amavisd + spamassassin
> MennovB wrote: >> Markus Edholm wrote: >> >>> I´m looking for some simple statistic script >>> using amavisd and spamassassin just to se how my own and "standard" >>> rules work >>> >>> >> There are several simple scripts for amavisd/SA but it depends on what >> info >> you want. >> For example in the list on http://www.ijs.si/software/amavisd/ the >> second >> amavislogsumm works. >> I use pflogsumm (http://jimsun.linxnet.com/postfix_contrib.html). >> This one works fine too: >> http://www.flakshack.com/anti-spam/nosack-spamreport.pl. I'm using amavis-stats from the same list and it also works fine. Previously, I used 'graphdefang' with a set of custom event files for amavisd-new. It also worked quite nicely. -Bill --
Re: Not doing checks
Found the problem: skip_rbl_checks was set to 1. Set it to 0 and it be now catching spammers... ;) Thanks On Monday 14 August 2006 18:00, Scott Ryan wrote with regard to - Re: Not doing checks : > On Monday 14 August 2006 17:55, Theo Van Dinter wrote with regard to - Re: > Not > > doing checks : > > On Mon, Aug 14, 2006 at 05:41:40PM +0200, Scott Ryan wrote: > > > [11431] dbg: check: > > > tests=AWL,DATE_IN_FUTURE_03_06,DNS_FROM_RFC_POST,RCVD_IN_NJABL_DUL,RCVD > > >_I N_SORBS_DUL,RCVD_IN_WHOIS_INVALID [29351] dbg: check: > > > tests=DATE_IN_FUTURE_03_06 > > > > > > Whis is it not doing as many checks as the FC5 machine? How can I > > > change this? > > > > it appears as if the difference is AWL (not surprisingly different), and > > a bunch of network tests. are you running the fc5 machine w/ -L (and do > > you have Net::DNS installed, etc.) > > The RHEL4 machine has following spamd args: > > -m 20 -D -u spamd -q -x > > And the FC5 : > > -d -c -m5 -H -- Regards, Scott Ryan Telkom Internet - Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -
Re: Not doing checks
On Monday 14 August 2006 17:55, Theo Van Dinter wrote with regard to - Re: Not doing checks : > On Mon, Aug 14, 2006 at 05:41:40PM +0200, Scott Ryan wrote: > > [11431] dbg: check: > > tests=AWL,DATE_IN_FUTURE_03_06,DNS_FROM_RFC_POST,RCVD_IN_NJABL_DUL,RCVD_I > >N_SORBS_DUL,RCVD_IN_WHOIS_INVALID [29351] dbg: check: > > tests=DATE_IN_FUTURE_03_06 > > > > Whis is it not doing as many checks as the FC5 machine? How can I change > > this? > > it appears as if the difference is AWL (not surprisingly different), and a > bunch of network tests. are you running the fc5 machine w/ -L (and do you > have Net::DNS installed, etc.) The RHEL4 machine has following spamd args: -m 20 -D -u spamd -q -x And the FC5 : -d -c -m5 -H -- Regards, Scott Ryan Telkom Internet - Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -
Re: Not doing checks
On Mon, Aug 14, 2006 at 05:41:40PM +0200, Scott Ryan wrote: > [11431] dbg: check: > tests=AWL,DATE_IN_FUTURE_03_06,DNS_FROM_RFC_POST,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,RCVD_IN_WHOIS_INVALID > [29351] dbg: check: tests=DATE_IN_FUTURE_03_06 > > Whis is it not doing as many checks as the FC5 machine? How can I change this? it appears as if the difference is AWL (not surprisingly different), and a bunch of network tests. are you running the fc5 machine w/ -L (and do you have Net::DNS installed, etc.) -- Randomly Generated Tagline: "... so people can't look up your skirt I guess... Not that I wear one..." - Prof. Brown about "Modesty Skirts". pgp4VjXvOTYnw.pgp Description: PGP signature
Not doing checks
I have SA3.1 installed on my fedora machine and 3.1 (built from fedora SRPM) on a RedHat Enterprise Linux 4 box . The fedora machine identifies a message as spam, but the redhat one lets it through. The only difference in the configs is basically, the redhat machine use MySQL for prefs where the fedora one does not. Here are the checks that run on the FC5 machine: [11431] dbg: check: tests=AWL,DATE_IN_FUTURE_03_06,DNS_FROM_RFC_POST,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL,RCVD_IN_WHOIS_INVALID [11431] dbg: check: subtests=__CD,__CT,__CTE,__CT_TEXT_PLAIN,__ENV_AND_HDR_FROM_MATCH,__FRAUD_DBI,__HAS_MSGID,__HAS_RCVD,__HAS_SUBJECT,__MIME_QP,__MIME_VERSION,__MSGID_OK_HOST,__NONEMPTY_BODY,__RCVD_IN_NJABL,__RCVD_IN_SORBS,__RCVD_IN_WHOIS,__RFC_IGNORANT_ENVFROM,__SANE_MSGID,__TOCC_EXISTS From [EMAIL PROTECTED] Mon Aug 14 21:47:15 2006 X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.1.3 (2006-06-01) on beowulf X-Spam-Level: X-Spam-Status: Yes, score=8.3 required=5.0 tests=AWL,DATE_IN_FUTURE_03_06, DNS_FROM_RFC_POST,RCVD_IN_NJABL_DUL,RCVD_IN_SORBS_DUL, RCVD_IN_WHOIS_INVALID autolearn=no version=3.1.3 And here is the same message run on SA on the redhat machine: [29351] dbg: check: is spam? score=2.007 required=3 [29351] dbg: check: tests=DATE_IN_FUTURE_03_06 [29351] dbg: check: subtests=__CD,__CT,__CTE,__CT_TEXT_PLAIN,__ENV_AND_HDR_FROM_MATCH,__FRAUD_DBI,__HAS_MSGID,__HAS_RCVD,__HAS_SUBJECT,__MIME_QP,__MIME_VERSION,__MSGID_OK_HOST,__NONEMPTY_BODY,__SANE_MSGID,__TOCC_EXISTS From [EMAIL PROTECTED] Mon Aug 14 21:47:15 2006 X-Spam-Checker-Version: SpamAssassin 3.1.0 (2005-09-13) on puck.telkomsa.net X-Spam-Level: ** X-Spam-Status: No, score=2.0 required=3.0 tests=DATE_IN_FUTURE_03_06 autolearn=no version=3.1.0dd_header all Level ** Whis is it not doing as many checks as the FC5 machine? How can I change this? -- Regards, Scott Ryan Telkom Internet - Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. -
Re: statistic amavisd + spamassassin
MennovB wrote: Markus Edholm wrote: I´m looking for some simple statistic script using amavisd and spamassassin just to se how my own and "standard" rules work There are several simple scripts for amavisd/SA but it depends on what info you want. For example in the list on http://www.ijs.si/software/amavisd/ the second amavislogsumm works. I use pflogsumm (http://jimsun.linxnet.com/postfix_contrib.html). This one works fine too: http://www.flakshack.com/anti-spam/nosack-spamreport.pl. Regards Menno van Bennekom Tnx, I´ll check them out. /markus
RE: Penalizing for SPF being too broad
> -Original Message- > From: Burton Windle [mailto:[EMAIL PROTECTED] > Sent: Monday, August 14, 2006 9:27 AM > To: users@spamassassin.apache.org > Subject: Penalizing for SPF being too broad > > Now that even spammers are using SPF, is there a way to > penalize those with SPF records that are too broad? > > [EMAIL PROTECTED]:~$ host -t txt topsyvwkh.net topsyvwkh.net > descriptive text "v=spf1 ip4:51.0.0.0/2 ip4:66.0.0.0/2 > ip4:145.0.0.0/2 ip4:245.0.0.0/2 -all" If you are using postfix with SPF as well, you can let postfix record the spf records as header info, and write a SA rule to look for idiocy like the above. (not sure if postfix looks at 51.0.0.0/2 and decides its not a valid CIDR block or not, maybe the SA SPF plugin should also look at valid CIDR blocks and invalid CIDR blocks, something like invalid receive ip.s
Re: Report
On Mon, 14 Aug 2006, Robert Nicholson wrote: > Any plans to change this? It's obviously an area where the spammer > has found a way to work around the rule. SA is not an antivirus tool, and an attached executable is not spam, it is a security attack. If you're not willing to run a traditional virus scanner, may I suggest this as an alternative for attachment policy enforcement: http://www.impsec.org/email-tools/procmail-security.html -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Windows and its users got mentioned at home today, after my wife the psych major brought up Seligman's theory of "learned helplessness." -- Dan Birchall in a.s.r ---
Re: users Digest 14 Aug 2006 13:38:56 -0000 Issue 1597
On 14-Aug-06, at 9:38 AM, [EMAIL PROTECTED] wrote:Now that even spammers are using SPF, is there a way to penalize those with SPF records that are too broad?[EMAIL PROTECTED]:~$ host -t txt topsyvwkh.nettopsyvwkh.net descriptive text "v=spf1 ip4:51.0.0.0/2 ip4:66.0.0.0/2 ip4:145.0.0.0/2 ip4:245.0.0.0/2 -all"I doubt any legit sender would SPF-authorize the entire Internet. Is this hypothetical? topsyvwkh.net does not list a TXT record, it has no records at all that I can find.--Gino CerulloPixel Point Studios21 Chesham DriveToronto, ON M3M 1W6T: 416-247-7740F: 416-247-7503
RE: users@spamassassin.apache.org
David Baron wrote: > On Sunday 13 August 2006 18:44, Theo Van Dinter wrote: > > On Sun, Aug 13, 2006 at 09:08:50AM -0400, Michael Di Martino wrote: > > > So how does razor differ over SA's ruleset? > > > > Razor compares MIME part hashes and URI domain hashes to a central > > database where people have reported that "this is spam". > > > > SA's ruleset looks for spammy components of messages, including > > calling Razor and a bunch of other network-based services which > > help determine ham vs spam. > > So one does not need to actually use Razor explicitely? The rules and plugin for Razor are built into SA, but the program is not. If you want to use Razor, you need to download, install, and configure it. Once that is done, you enable the Razor plugin in SA and it will start using it. -- Bowie
Re: Penalizing for SPF being too broad
On 8/14/2006 9:27 AM, Burton Windle wrote: Now that even spammers are using SPF, is there a way to penalize those with SPF records that are too broad? [EMAIL PROTECTED]:~$ host -t txt topsyvwkh.net topsyvwkh.net descriptive text "v=spf1 ip4:51.0.0.0/2 ip4:66.0.0.0/2 ip4:145.0.0.0/2 ip4:245.0.0.0/2 -all" I doubt any legit sender would SPF-authorize the entire Internet. Like hotmail.com with about a million IPs (1014528)? :) I wrote a script a couple years ago to calculate the IPs used by a domain's SPF record. I had meant to but never got around to writing a plugin for it. Actually, I never completely finished the script either... the odd domain will cause it to run for a long time causing an internal server error. http://daryl.dostech.ca/scripts/spfhostcount.html Daryl
Penalizing for SPF being too broad
Now that even spammers are using SPF, is there a way to penalize those with SPF records that are too broad? [EMAIL PROTECTED]:~$ host -t txt topsyvwkh.net topsyvwkh.net descriptive text "v=spf1 ip4:51.0.0.0/2 ip4:66.0.0.0/2 ip4:145.0.0.0/2 ip4:245.0.0.0/2 -all" I doubt any legit sender would SPF-authorize the entire Internet. -- Burton Windle [EMAIL PROTECTED]
Re: Report
This is why the rule doesn't trigger
I see ... so the reason this gets thru is the following.
foreach my $p ($pms->{msg}->find_parts(qr/^(application|text)\b/)) {
... just looking for application|text is being too kind
that needs to be more broad in this case.
I'd be for checking any attachment kind when looking for anything
"executable"
Any plans to change this? It's obviously an area where the spammer
has found a way to work around the rule.
On Aug 13, 2006, at 9:52 PM, Robert Nicholson wrote:
Could it be because the use the following Content Type?
Content-Type: audio/x-wav; name="hwrs.exe"
disguising a .exe as a wav?
On Aug 13, 2006, at 5:17 PM, jdow wrote:
SpamAssassin is not an anti-virus tool.
{^_^}
- Original Message - From: "Robert Nicholson"
<[EMAIL PROTECTED]>
Are you saying that 25_antivirus.cf doesn't have
MICROSOFT_EXECUTABLE in 3.11?
On Aug 13, 2006, at 3:10 PM, Loren Wilton wrote:
Because MICROSOFT_EXECUTABLE didn't hit on that message?
Because MICROSOFT_EXECUTABLE was a 2.x rule that was deleted in
3.0 and you are runing 3.1.1?
Re: statistic amavisd + spamassassin
Markus Edholm wrote: > > I´m looking for some simple statistic script > using amavisd and spamassassin just to se how my own and "standard" > rules work > There are several simple scripts for amavisd/SA but it depends on what info you want. For example in the list on http://www.ijs.si/software/amavisd/ the second amavislogsumm works. I use pflogsumm (http://jimsun.linxnet.com/postfix_contrib.html). This one works fine too: http://www.flakshack.com/anti-spam/nosack-spamreport.pl. Regards Menno van Bennekom -- View this message in context: http://www.nabble.com/statistic-amavisd-%2B-spamassassin-tf2095682.html#a5795921 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: SARE sa-update channels available!
On 8/13/2006 10:14 PM, DAve wrote: Daryl C. W. O'Shea wrote: On 8/13/2006 4:49 PM, DAve wrote: Chainsaws, couldn't live without 'em. I hope all you lost were trees. For the most part. Still trying to figure out how I'm going to cut up one of the trees that is 23 feet in diameter, which conveniently is also a hardwood, though. Two, the GPG key really only says the rules are valid from your server, it doesn't guarantee the rules are valid SARE rules. Not sure how to handle that, or if users/authors will even care. Possibly authors would be willing to tar, gzip, and sign their rules if they were provided an upload facility. I suppose they could. It'd be a little more work for the channel users though, having to import each key and include them in a trusted gpgkey file. Additionally it would require documentation to be updated for every new ruleset, saying what key it uses. We were thinking of going another way with that. We didn't consider the possibility of providing the author's key. Good point, we will make sure we don't. BTW... the primary use for the GPG signing is to prevent tampering by mirroring systems that may or may not be controlled by someone we even know, such as the Coral CDN mirroring system we were trying out with updates.spamassassin.org for a while. We might start using your channel until we get ours working the way we want:^) Possibly instead of mirroring you, we could go ahead and offer a full set of files providing two independent sources. Just for availabilities sake. If it turns out the channels are used quite a bit, I'll probably mirror it on my servers in Houston, Atlanta and Toronto once I get some mirroring code written. Different channels containing the same content wouldn't really increase availability since people would be using only one of the channels. DAve PS. If I could have any plugin for SA, it would be a Snopes plugin. Scan my inbox, check the message against snopes and score accordingly. I don't need another story sent to me by family about people bolting JATO packs to their cars or David Bowie and Mick Jagger sleeping together. Hmm... I'm pretty sure they wouldn't appreciate the load of thousands of mail servers hammering their systems. It would be nice though. Daryl
sa-learn and bayes_toks
spamassassin --lint was reporting: debug: bayes: no dbs present, cannot tie DB R/O: = /var/spool/amavis/.spamassassin/bayes_toks sa-learn --dump reported: ERROR: Bayes dump returned an error, please re-run with -D for more information sa-learn --backup reported: v 3 db_version # this must be the first line!!! v 0 num_spam v 0 num_nonspam following this with sa-learn --dump now reports: 0.000 0 3 0 non-token data: bayes db version 0.000 0 0 0 non-token data: nspam 0.000 0 0 0 non-token data: nham 0.000 0 0 0 non-token data: ntokens 0.000 0 0 0 non-token data: oldest atime 0.000 0 0 0 non-token data: newest atime 0.000 0 0 0 non-token data: last journal sync atime 0.000 0 0 0 non-token data: last expiry atime 0.000 0 0 0 non-token data: last expire atime delta 0.000 0 0 0 non-token data: last expire reduction count but the timestamp on bayes_toks has not been updated. What has happened? I am running this on SLES 9 with spamassassin v3.0.4 Thanks, Mike
Re: Re: bayes not run on some mail
On Mon, 14 Aug 2006 16:28:21 +0700, Beast <[EMAIL PROTECTED]> wrote:
>Nigel Frankcom wrote:
>>
I will turn on auto leaarn mostly because I need to feed more HAM to SA
(so far I only feed ham for any false positive which is very low daily
and i think that is not good enough for SA)
>>> If it is well trained then Bayes should be hitting. It may be that
>>> SA cannot get to the Bayes database due to privileges.
>>>
>>> (I manually train here. I distrust automatic training.)
>>>
>>> {^_^}
>>>
>>
>> I agree with not autotraining, imo it's a damned good way to get your
>> bayes poisoned. With beast's error I got the impression only _some_
>> mails were being missed which would imply either a file lock issue or
>> not enough child processes?
>>
>I also agree with your point, however I need to feed more HAM (not spam)
>message, which is not easy to obtain, unless we dump all users mail to
>one mailbox.
>
>For bayes file locking problem, I'm not quite sure because not complaint
>in log:
>
>Aug 13 22:11:01 blowfish spampd[9828]: clean message
><[EMAIL PROTECTED]> (1.67/5.20) from
><[EMAIL PROTECTED]> for <[EMAIL PROTECTED]> in 0.33s, 2587 bytes.
>
>Yesterday, i was received 5 FN mails which are not have scanned by
>bayes (low score), this for postmaster only, i'm not sure if its
>applicable to other address also.
>
>--beast
A lot will depend on the circumstances your email servers run under
and the terms & privacy options your site uses.
Here it's not such an issue fortunately. I have an application that
pulls mails out of the archive for our mailservers; then it's a case
of finding either ham or specific spam to train in.
You might try training in your own mailbox for ham; though with a
large userbase ideally you want to train in a representative corpus of
mail to all your users.
Either way, it's going to involve some work (though significantly less
work than clearing up after the spammers).
I've found here that after the initial training run, just adding in
reported FPs & FN's is sufficient to keep bayes accurate. This doesn't
usually involve more than a few mails a month.
Nigel
Using SA to prevent bouncing spam?
Hi, in order to avoid bouncing spam back to the (almost certainly) faked sender-addresses, I thought I could use SA directly: Suppose I configure it to substitute "<>" for the sender/reply-to in any spam? That way spam-generated bounces would be dumped. Unfortunately It doesn't seem possible: * "rewrite_header from" will let met insert rfc 2822 comments but not substitute entirely. * "remove_header" and "add_header" will only let me work on "X-spam-*" headers. So am I left with writing my own wrapper here? That means a lot of testing and double-testing, as I don't feel particularly lucky today. - Ole.
Re: bayes not run on some mail
Nigel Frankcom wrote:
I will turn on auto leaarn mostly because I need to feed more HAM to SA
(so far I only feed ham for any false positive which is very low daily
and i think that is not good enough for SA)
If it is well trained then Bayes should be hitting. It may be that
SA cannot get to the Bayes database due to privileges.
(I manually train here. I distrust automatic training.)
{^_^}
I agree with not autotraining, imo it's a damned good way to get your
bayes poisoned. With beast's error I got the impression only _some_
mails were being missed which would imply either a file lock issue or
not enough child processes?
I also agree with your point, however I need to feed more HAM (not spam)
message, which is not easy to obtain, unless we dump all users mail to
one mailbox.
For bayes file locking problem, I'm not quite sure because not complaint
in log:
Aug 13 22:11:01 blowfish spampd[9828]: clean message
<[EMAIL PROTECTED]> (1.67/5.20) from
<[EMAIL PROTECTED]> for <[EMAIL PROTECTED]> in 0.33s, 2587 bytes.
Yesterday, i was received 5 FN mails which are not have scanned by
bayes (low score), this for postmaster only, i'm not sure if its
applicable to other address also.
--beast
Re: Re: bayes not run on some mail
On Mon, 14 Aug 2006 01:52:33 -0700, "jdow" <[EMAIL PROTECTED]> wrote:
>From: "Beast" <[EMAIL PROTECTED]>
>
>> jdow wrote:
>>> From: "Beast" <[EMAIL PROTECTED]>
>>>
Hi,
From some (spam) mail which not caught by SA, it seems that bayes is
not applied to this mail.
X-Spam-Report:
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 1.7 SARE_SPEC_ROLEX Rolex watch spam
X-Spam-Status: No, score=1.7 required=5.2
tests=HTML_MESSAGE,SARE_SPEC_ROLEX
autolearn=no version=3.1.4
Is bayes check is not run for every mail?
>>>
>>> It is not run if you have not yet learned from at least 200 each of
>>> spam and ham messages. You do not learn form all messages because the
>>> scores are "indicative" rather than "certain" with regards to estimating
>>> ham or spam properties. If you collect a random bunch of 200 or more
>>> ham messages and 200 or more known spam messages and manually train
>>> with them via sa-learn you can get Bayes working sooner.
>>
>> It actually has enough corpus learned. I was running this for more than
>> a year with manual tarined (daily tarined by human). Bayes was working
>> for most mail but not for all mails.
>>
>> [EMAIL PROTECTED] ~]# spamassassin --lint -D 2>&1 | grep 'corpus size'
>> [12081] dbg: bayes: corpus size: nspam = 34035, nham = 7399
>>
>> I will turn on auto leaarn mostly because I need to feed more HAM to SA
>> (so far I only feed ham for any false positive which is very low daily
>> and i think that is not good enough for SA)
>
>If it is well trained then Bayes should be hitting. It may be that
>SA cannot get to the Bayes database due to privileges.
>
>(I manually train here. I distrust automatic training.)
>
>{^_^}
I agree with not autotraining, imo it's a damned good way to get your
bayes poisoned. With beast's error I got the impression only _some_
mails were being missed which would imply either a file lock issue or
not enough child processes?
Nigel
Re: bayes not run on some mail
From: "Beast" <[EMAIL PROTECTED]>
jdow wrote:
From: "Beast" <[EMAIL PROTECTED]>
Hi,
From some (spam) mail which not caught by SA, it seems that bayes is
not applied to this mail.
X-Spam-Report:
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 1.7 SARE_SPEC_ROLEX Rolex watch spam
X-Spam-Status: No, score=1.7 required=5.2
tests=HTML_MESSAGE,SARE_SPEC_ROLEX
autolearn=no version=3.1.4
Is bayes check is not run for every mail?
It is not run if you have not yet learned from at least 200 each of
spam and ham messages. You do not learn form all messages because the
scores are "indicative" rather than "certain" with regards to estimating
ham or spam properties. If you collect a random bunch of 200 or more
ham messages and 200 or more known spam messages and manually train
with them via sa-learn you can get Bayes working sooner.
It actually has enough corpus learned. I was running this for more than
a year with manual tarined (daily tarined by human). Bayes was working
for most mail but not for all mails.
[EMAIL PROTECTED] ~]# spamassassin --lint -D 2>&1 | grep 'corpus size'
[12081] dbg: bayes: corpus size: nspam = 34035, nham = 7399
I will turn on auto leaarn mostly because I need to feed more HAM to SA
(so far I only feed ham for any false positive which is very low daily
and i think that is not good enough for SA)
If it is well trained then Bayes should be hitting. It may be that
SA cannot get to the Bayes database due to privileges.
(I manually train here. I distrust automatic training.)
{^_^}
Re: Problems on Solaris x86
Le 13 août 06 à 10:14, Pascal Maes a écrit : Hello, I have installed MailScanner (4.55.10-3) on a solaris 10 (x86) box. MailScanner is using SpamAssassin 3.1.4 I'm also using postfix and MailScanner is running as the user postfix. MailScanner, in debugging mode, is going fine. When I run spamassassin -D --lint (as user postfix) all is going fine too. But when I launch MailScanner in "normal" mode (with fork), the call to $self->do_full_eval_tests($priority, \$fulltext); never finish; In MailScanner, we have $MailScanner::SA::SAspamtest = new Mail::SpamAssassin(\%settings); $MailScanner::SA::SAspamtest->compile_now(); That's this last call which never finish except if the line $self->do_full_eval_tests($priority, \$fulltext); is commented. Everything is going fine with the same config on a linux box or on a solaris 9 sparc box Any idea ? I have made some other tests : - reactivate the line do_full_eval_tests - suppress everything except local.cf, init.pre, v310.pre anfd v312.pre from /etc/mail/spamassassin and comment all lines in this files. Restarting MailScanner and commenting out one line at a time, I found that the problem is with loadplugin Mail::SpamAssassin::Plugin::Razor2 When I test spamassassin, all is working fine : # spamassassin -D < sample-nonspam.txt |& grep -i razor [12725] dbg: config: read file /usr/local/share/spamassassin/ 25_razor2.cf [12725] dbg: plugin: loading Mail::SpamAssassin::Plugin::Razor2 from @INC [12725] dbg: razor2: razor2 is available, version 2.82 [12725] dbg: plugin: registered Mail::SpamAssassin::Plugin::Razor2=HASH(0x8e53c24) [12725] dbg: plugin: registering glue method for check_razor2_range (Mail::SpamAssassin::Plugin::Razor2=HASH(0x8e53c24)) [12725] dbg: razor2: part=0 engine=4 contested=0 confidence=-17 [12725] dbg: razor2: part=0 engine=8 contested=0 confidence=0 [12725] dbg: razor2: part=0 engine=8 contested=0 confidence=0 [12725] dbg: razor2: part=0 engine=8 contested=0 confidence=0 [12725] dbg: razor2: part=0 engine=8 contested=0 confidence=0 [12725] dbg: razor2: part=0 engine=8 contested=0 confidence=0 [12725] dbg: razor2: part=0 engine=8 contested=0 confidence=0 [12725] dbg: razor2: results: spam? 0 [12725] dbg: razor2: results: engine 8, highest cf score: 0 [12725] dbg: razor2: results: engine 4, highest cf score: 0 [12725] dbg: plugin: registering glue method for check_razor2 (Mail::SpamAssassin::Plugin::Razor2=HASH(0x8e53c24)) but when the compile_now() function is called from the main MailScanner process, it doesn't finish and comsummes high CPU # ps -ef | grep MailScanner root 12755 1099 0 10:18:29 pts/5 0:00 grep MailScanner postfix 12714 12713 50 10:13:31 ? 4:57 /usr/bin/perl -I/ opt/MailScanner/lib /opt/MailScanner/bin/MailScanner postfix 12713 2400 0 10:13:31 ? 0:00 /usr/bin/perl -I/ opt/MailScanner/lib /opt/MailScanner/bin/MailScanner #top load averages: 1.04, 1.05, 1.02 10:18:12 50 processes: 47 sleeping, 3 on cpu CPU states: 49.5% idle, 50.2% user, 0.3% kernel, 0.0% iowait, 0.0% swap Memory: 2047M real, 1146M free, 680M swap in use, 2820M swap free PID USERNAME LWP PRI NICE SIZE RES STATETIMECPU COMMAND 12714 postfix1 200 53M 41M cpu/14:40 49.92% MailScanner 12749 root 1 590 3184K 1220K cpu/00:00 0.01% top -- Pascal
