Re: catching fake usernames?
On Thu, August 31, 2006 07:24, John Andersen wrote: Won't work if ONE of the recipients is real... still better then nothing, spf or sender access can take the rest, but since i still not using spf in mta its needed to be done as a restriction class in postfix could be a sender class that reject if client ip is not auth problem is just not as big here to make it needed spamassassin have an accessdb plugin btw, just wish it handlede other db olso -- This message was sent using 100% recycled spam mails.
RBL and blackholes.us.
Hi All: These days, I found that many outbond messages of my server were blocked by blackholes.us. I checked all my IPs and found so many of them listed in this list. There are many email servers use the list as rbl straitly, Although it says: Blackholes.us does not list spammers, spam supporters, or vulernable hosts (open relays/proxies) at the present time. The data published here is not indended for use as any kind of anti-spam solution, although it can be helpful as part of a larger system. So, Can anybody give me some advice how to remove my IPs from it quickly? -- Xueron Nee [EMAIL PROTECTED]
Re: RBL and blackholes.us.
On Wednesday 30 August 2006 22:15, Xueron Nee wrote: Hi All: These days, I found that many outbond messages of my server were blocked by blackholes.us. I checked all my IPs and found so many of them listed in this list. There are many email servers use the list as rbl straitly, Although it says: Blackholes.us does not list spammers, spam supporters, or vulernable hosts (open relays/proxies) at the present time. The data published here is not indended for use as any kind of anti-spam solution, although it can be helpful as part of a larger system. So, Can anybody give me some advice how to remove my IPs from it quickly? Seems to me that they have removal procedures on the site. First you might want to FIND OUT why your servers are listed. Are there perhaps some compromised machines forwarding mail thru your mail servers? You said: I checked all my IPs and found so many of them listed in this list. How many mail servers do you have? Or were these not ALL mail servers? If they were not mail servers, then it sound EVEN MORE like compromised machines sending email via some bot. If its any consolation, large ISPs with millions of subscribers get blackholed there all the time, and are constantly fighting them. It seems collective punishment is politically incorrect in all areas of human discourse except fighting spam. My ISP had their primary server blackholed last week, cutting of about 75% of Alaska from sending mail to many sites. I suspect the bot nets have started relaying thru the ISPs mail systems rather than going direct, and perhaps purposely sending mail to honeypots via ISP MTAs simply to poison the blackhole lists. -- _ John Andersen pgpKXgtbzztVQ.pgp Description: PGP signature
Re: File mode set incorrectly
On Thursday 31 August 2006 05:33, Albert Poon took the opportunity to say: My box is FreeBSD 6.1-I386 and my SA is installed from ports. (MIMEDefang + SA + ClamAV) The combination is running as mailnull and I have changed the owner of the related directories accordingly. My problem is, both auto_whitelist_file_mode and bayes_file_mode cannot be set correctly, and they have different problem: For bayes_file_mode, I set to 0777, but the output is only 0666. If I set to 0700, it turns out to be 0600. That's by design. The mode is used as is (e.g. 0700) for any directories that need to be created, but for the files the x bits are masked off. Why would you want the databases to be executable? For auto_whitelist_file_mode, no matter what I set, it only becomes 0640. The same should be true for this one. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpFvn750K7gl.pgp Description: PGP signature
Re: RBL and blackholes.us.
Dear John Andersen, Thanks for your help. I can only find a contact email address on its page: [EMAIL PROTECTED] and I had wrote to him sereral time. But there were no any reply. All my IPs are used for email service as we are the bigest ESP in China. I checked these IPs and only get: Listed by china.blackholes.us. No other information. :( I don't think there were compromised machines forwarding mail thru there servers. It almost lists all of our IPs. John Andersen wrote: On Wednesday 30 August 2006 22:15, Xueron Nee wrote: Hi All: These days, I found that many outbond messages of my server were blocked by blackholes.us. I checked all my IPs and found so many of them listed in this list. There are many email servers use the list as rbl straitly, Although it says: Blackholes.us does not list spammers, spam supporters, or vulernable hosts (open relays/proxies) at the present time. The data published here is not indended for use as any kind of anti-spam solution, although it can be helpful as part of a larger system. So, Can anybody give me some advice how to remove my IPs from it quickly? Seems to me that they have removal procedures on the site. First you might want to FIND OUT why your servers are listed. Are there perhaps some compromised machines forwarding mail thru your mail servers? You said: I checked all my IPs and found so many of them listed in this list. How many mail servers do you have? Or were these not ALL mail servers? If they were not mail servers, then it sound EVEN MORE like compromised machines sending email via some bot. If its any consolation, large ISPs with millions of subscribers get blackholed there all the time, and are constantly fighting them. It seems collective punishment is politically incorrect in all areas of human discourse except fighting spam. My ISP had their primary server blackholed last week, cutting of about 75% of Alaska from sending mail to many sites. I suspect the bot nets have started relaying thru the ISPs mail systems rather than going direct, and perhaps purposely sending mail to honeypots via ISP MTAs simply to poison the blackhole lists. -- _ John Andersen -- Xueron Nee [EMAIL PROTECTED]
Re: RBL and blackholes.us.
Dear Yet Another Ninja, Thanks for your help. The problem is that, our outbond message were rejected directly according to this list. I don't know why njabl.org alse use these data. http://njabl.org/cgi-bin/lookup.cgi?query=220.181.13.1 220.181.13.1 is listed in blackholes.njabl.org: China blocked by china.blackholes.us Any good way to resolve this problem? Thanks! Yet Another Ninja wrote: On 8/31/2006 8:15 AM, Xueron Nee wrote: Hi All: These days, I found that many outbond messages of my server were blocked by blackholes.us. I checked all my IPs and found so many of them listed in this list. There are many email servers use the list as rbl straitly, Although it says: Blackholes.us does not list spammers, spam supporters, or vulernable hosts (open relays/proxies) at the present time. The data published here is not indended for use as any kind of anti-spam solution, although it can be helpful as part of a larger system. So, Can anybody give me some advice how to remove my IPs from it quickly? you can't Blackholes.us lists countries and ISPs and not spammer IPs. for example: from your post's header you sent from 218.107.55.253 which belongs to cncgroup, right? if yes, then that's China, and you're IP block is in the China zone. Whoever is rejecting your mail has decided not to accept mail from China. Alex -- Xueron Nee [EMAIL PROTECTED]
Re: RBL and blackholes.us.
On Thursday 31 August 2006 08:49, Xueron Nee wrote: I don't know why njabl.org alse use these data. http://njabl.org/cgi-bin/lookup.cgi?query=220.181.13.1 220.181.13.1 is listed in blackholes.njabl.org: China blocked by china.blackholes.us Don't have an IP address in Chinese netspace. china.blackholes.us, along with all of the other countryname.blackholes.us are DNS listings of ARIN/RIPE/APNIC netblock allocations. They're not blacklists per se - people just use them as blacklists. Last I knew (a few years ago), it's impossible to get your IP removed from the country.blackholes.us zone, simply because the zone is stating facts, not predjudicial information.
Language settings score
Hello all. In Norway there is strict law rules concerning sending spam, which in fact works very well. Therefor we have no Norwegian incoming spam. I was wondering if there is a feature that lowers the score for mails that is in the Norwegian language. The way I understand ok_languages, it allows or disallows the given languages. What we need is something so that we can set the score to -100 if the mail is written in Norwegian. Score no_language -100 or something like that. Hope you understand what I mean. Kind Regards Paul
Re: Language settings score
On Thu, August 31, 2006 10:19, Paul Tenfjord wrote: The way I understand ok_languages, it allows or disallows the given languages. What we need is something so that we can set the score to -100 if the mail is written in Norwegian. Score no_language -100 or something like that. Hope you understand what I mean. sounds like an ispell plugin for spamassassin :-) ispell -d norge msg and score highter if its alot of non local words in it :-) else set ok_languages no en and enable the textcat plugin else unwanted languages will hit -- This message was sent using 100% recycled spam mails.
Re: source SENDER authentication ? (as opposed to SPF HOST authentication)
Benny Pedersen writes: On Wed, August 30, 2006 19:44, Justin Mason wrote: list -- as the forged source of the spam. The end result for us end users, is a massive increase in spam blowback, which is what we've seen since those MTAs implemented it. :( spf solves that Well, it would, if they would restrict address lookups to IPs that pass the SPF check. This is not the case, unfortunately. --j.
Re: Language settings score
Paul Tenfjord [EMAIL PROTECTED] writes: In Norway there is strict law rules concerning sending spam, which in fact works very well. Therefor we have no Norwegian incoming spam. I was wondering if there is a feature that lowers the score for mails that is in the Norwegian language. The way I understand ok_languages, it allows or disallows the given languages. What we need is something so that we can set the score to -100 if the mail is written in Norwegian. Even if no spam originates from Norway, that does not mean that no spam will be written in Norwegian. It would be possible for spammers in some other country to target Norway and write the messages in Norwegian.
Re: RBL and blackholes.us.
Xueron Nee wrote: Hi All: These days, I found that many outbond messages of my server were blocked by blackholes.us. I checked all my IPs and found so many of them listed in this list. There are many email servers use the list as rbl straitly, Although it says: Blackholes.us does not list spammers, spam supporters, or vulernable hosts (open relays/proxies) at the present time. The data published here is not indended for use as any kind of anti-spam solution, although it can be helpful as part of a larger system. So, Can anybody give me some advice how to remove my IPs from it quickly? You can't. blackholes.us lists are based on geography and hosting provider. The only way out, is to move or switch ISPs. In your case, based on your IP address, the list you are in is the one for China. This list tries to contain every IP address assigned to the country of China. Spammer or not. This list is purely geographic, and to request a de-listing is to claim the IP address is not in fact in China. Think of blackholes.us as a DNS based version of GeoIP.
Re: SPF Failing for this list mail
Ramprasad wrote: Hi, One mail for this list got into my quarantine. I was surprised since I had spf_whitelist 'ed spamassassin.apache.org I went thru the logs , got this Aug 30 03:20:27 rs14 MailScanner[25502]: Message 747B1441F1.64958 from 209.237.227.199 (dev-return-27257- [EMAIL PROTECTED]) to netcore.co.in is spam, CTSCORE : 0 REFID: [str=0001.0A090202.44F4B55B.008B:SCFONLINE515039,ss=1,fgs=0], SpamAssassin (score=6.776, required 5, BAYES_00 -2.60, DRUGS_ERECTILE 0.49, DRUGS_ERECTILE_OBFU 2.41, FUZZY_VPILL 0.92, MANGLED_VIAGRA 2.50, SARE_OBFU_VIAGRA 1.67, SPF_SOFTFAIL 1.38) Aug 30 03:20:27 rs14 MailScanner[25502]: Spam Actions: message 747B1441F1.64958 actions are store -- Anyone else seen this Sounds like your trusted_networks setting is broken. http://wiki.apache.org/spamassassin/TrustPath
Re: File mode set incorrectly
If so whats the point of these options? Are you meaning its the design of the ports collection or SA itself? Magnus Holmgren wrote: On Thursday 31 August 2006 05:33, Albert Poon took the opportunity to say: My box is FreeBSD 6.1-I386 and my SA is installed from ports. (MIMEDefang + SA + ClamAV) The combination is running as mailnull and I have changed the owner of the related directories accordingly. My problem is, both auto_whitelist_file_mode and bayes_file_mode cannot be set correctly, and they have different problem: For bayes_file_mode, I set to 0777, but the output is only 0666. If I set to 0700, it turns out to be 0600. That's by design. The mode is used as is (e.g. 0700) for any directories that need to be created, but for the files the x bits are masked off. Why would you want the databases to be executable? For auto_whitelist_file_mode, no matter what I set, it only becomes 0640. The same should be true for this one. -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) -- View this message in context: http://www.nabble.com/File-mode-set-incorrectly-tf2194216.html#a6078406 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: RBL and blackholes.us.
Dear Matt Kettler, Thanks for your kindly help :) Seems that there are too many email servers use these dns based lists incorrectly ... Matt Kettler wrote: Xueron Nee wrote: Hi All: These days, I found that many outbond messages of my server were blocked by blackholes.us. I checked all my IPs and found so many of them listed in this list. There are many email servers use the list as rbl straitly, Although it says: Blackholes.us does not list spammers, spam supporters, or vulernable hosts (open relays/proxies) at the present time. The data published here is not indended for use as any kind of anti-spam solution, although it can be helpful as part of a larger system. So, Can anybody give me some advice how to remove my IPs from it quickly? You can't. blackholes.us lists are based on geography and hosting provider. The only way out, is to move or switch ISPs. In your case, based on your IP address, the list you are in is the one for China. This list tries to contain every IP address assigned to the country of China. Spammer or not. This list is purely geographic, and to request a de-listing is to claim the IP address is not in fact in China. Think of blackholes.us as a DNS based version of GeoIP. -- Xueron Nee [EMAIL PROTECTED]
Re: File mode set incorrectly
On Thursday 31 August 2006 14:30, Albert Poon took the opportunity to say: If so whats the point of these options? You might want to set group or others permissions differently depending on how you run SpamAssassin (per-user or global) and whether users have their own primary group or belong to a common group. There are many reasons, but there is no point in setting the executable bit of data files. Are you meaning its the design of the ports collection or SA itself? It has nothing to do with Ports; you can read about the options in the SA man pages (Mail::SpamAssassin::Conf(3pm) and Mail::SpamAssassin::Plugin::AWL(3pm)). -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) pgpYc7i3WUD60.pgp Description: PGP signature
Re: RBL and blackholes.us.
On Thu, 31 Aug 2006, Xueron Nee wrote: Seems that there are too many email servers use these dns based lists incorrectly ... Not necessarily. An email admin has to make the conscious decision I don't want to accept any email from China in order to use that RBL in the first place. I did precisely that for the corporate network I administered because we did no business with anyone in China and the only email we ever got from Chinese netblocks was spam. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It may be possible to start a programme of weapon registration as a first step towards the physical collection phase. ... Assurances must be provided, and met, that the process of registration will not lead to immediate weapons seizures by security forces. -- the UN, who doesn't want to confiscate guns --- 19 days until Talk Like a Pirate day
Re: RBL and blackholes.us.
Dear John D. Hardin, aha, that sounds reasonable :) But the fact is that some server blocked me, but it should accepted. My users complained about this and made me so agonising Thanks for your helo anyway. John D. Hardin wrote: On Thu, 31 Aug 2006, Xueron Nee wrote: Seems that there are too many email servers use these dns based lists incorrectly ... Not necessarily. An email admin has to make the conscious decision I don't want to accept any email from China in order to use that RBL in the first place. I did precisely that for the corporate network I administered because we did no business with anyone in China and the only email we ever got from Chinese netblocks was spam. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It may be possible to start a programme of weapon registration as a first step towards the physical collection phase. ... Assurances must be provided, and met, that the process of registration will not lead to immediate weapons seizures by security forces. -- the UN, who doesn't want to confiscate guns --- 19 days until Talk Like a Pirate day -- Xueron Nee [EMAIL PROTECTED]
SPF_SOFTFAIL but there's no SPF record
SpamAssassin version 3.1.4 running on Perl version 5.8.7(and 5.8.5) Any idea why a message with the following headers: X-Envelope-From: [EMAIL PROTECTED] Received: from mail.ans.org (mail.ans.org [206.222.45.53]) by emroute1.ornl.gov (PMDF V6.2-1x9 #31038) with ESMTP id [EMAIL PROTECTED] for [EMAIL PROTECTED] (ORCPT [EMAIL PROTECTED]); Wed, 30 Aug 2006 11:51:52 -0400 (EDT) Received: from GWDOMAIN-MTA by mail.ans.org with Novell_GroupWise; Wed, 30 Aug 2006 10:49:21 -0500 would get the following hits: * 1.4 SPF_SOFTFAIL SPF: sender does not match SPF record (softfail) * [SPF failed: ] * 2.4 SPF_HELO_SOFTFAIL SPF: HELO does not match SPF record (softfail) * [SPF failed: ] I see no SPF records for ans.org or mail.ans.org. A message sent 14 minutes earlier with the same IP address, HELO address and return address did not hit these SPF rules. (note: usernames munged with xx and yy) Thanks, Larry
Very big auto-whitelist file
A little question about AWL : I have an auto_whitelist how looks VERY HUGE to me : -rw--- 1 root root 1241124864 Aug 31 17:51 auto-whitelist Do you think a 1.2 Gb AWL file is NORMAL ? I don't think so and plan to use check_whitelist tool to clean it, something like : check_whitelist --clean --min 2 Does it looks right for you ? I'm a bit afraid it might be a very long process because of it's size ... Any advice or information from someone who experienced it is welcome Regards, Stephane
RE: RBL and blackholes.us.
Dear John D. Hardin, aha, that sounds reasonable :) But the fact is that some server blocked me, but it should accepted. My users complained about this and made me so agonising That is entirely the option of that server's admins; to refuse YOUR email. I may not agree with that choice but only the server's admin gets to choose so you have another option if your users' email is legitimate: Contact the server admins who do this and politely explain both the nature (and importance) of receiving your emails and ask them to make an exception for you. (Or change to another range of addresses as previously mentioned.) Thanks for your helo anyway. Herb Martin -Original Message- From: Xueron Nee [mailto:[EMAIL PROTECTED] Sent: Thursday, August 31, 2006 10:31 AM To: John D. Hardin Cc: [EMAIL PROTECTED]; Matt Kettler; users@spamassassin.apache.org Subject: Re: RBL and blackholes.us. John D. Hardin wrote: On Thu, 31 Aug 2006, Xueron Nee wrote: Seems that there are too many email servers use these dns based lists incorrectly ... Not necessarily. An email admin has to make the conscious decision I don't want to accept any email from China in order to use that RBL in the first place. I did precisely that for the corporate network I administered because we did no business with anyone in China and the only email we ever got from Chinese netblocks was spam. -- John Hardin KA7OHZICQ#15735746 http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 -- - It may be possible to start a programme of weapon registration as a first step towards the physical collection phase. ... Assurances must be provided, and met, that the process of registration will not lead to immediate weapons seizures by security forces. -- the UN, who doesn't want to confiscate guns -- - 19 days until Talk Like a Pirate day -- Xueron Nee [EMAIL PROTECTED]
Re: Discourage broken content
John Andersen wrote: Mailscanner ... or any other mail-handling software... has no business changing content. ... unless you explicitly configure it to do so. (ATTN: AVG for Windows POP3/SMTP interface/hook authors, This Means You! Among others.) -kgd
Re: Very big auto-whitelist file
On Thu, 31 Aug 2006, St?phane LEPREVOST wrote: A little question about AWL : I have an auto_whitelist how looks VERY HUGE to me : -rw---1 root root 1241124864 Aug 31 17:51 auto-whitelist Do you think a 1.2 Gb AWL file is NORMAL ? You might try typing du -k auto-whitelist. It could be a sparse file, and the amount of disk it's actually using isn't as large as what you think. It does seem a little large, but it's hard to tell. Mine is this size: -rw--- 1 root root 5234688 2006-08-31 12:04 auto-whitelist but then, I have a fairly low-volume site (less than 1000 messages a day, including spam) with not all that many users. - Logan
Re: catching fake usernames?
On Thu, 31 Aug 2006, Matt Kettler wrote: milter-greylist, while designed for greylisting, has grown to have a quite flexible ACL system. Using it you could whitelist all your local IPs that legitamately generate mail with your domain, then follow it up by blacklisting anything else that claims to be from the local domain. I use milter-regex for that and have been quite satisfied with it. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It may be possible to start a programme of weapon registration as a first step towards the physical collection phase. ... Assurances must be provided, and met, that the process of registration will not lead to immediate weapons seizures by security forces. -- the UN, who doesn't want to confiscate guns --- 19 days until Talk Like a Pirate day
Re: RBL and blackholes.us.
On Thu, 31 Aug 2006, Xueron Nee wrote: Dear John D. Hardin, aha, that sounds reasonable :) But the fact is that some server blocked me, but it should accepted. My users complained about this and made me so agonising I suggest you contact the admin of that mailserver and ask them to reconsider their blocking all of China. You'll have to use your gmail account to do that, of course... The only way to get off a geographical RBL is move to a different location. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It may be possible to start a programme of weapon registration as a first step towards the physical collection phase. ... Assurances must be provided, and met, that the process of registration will not lead to immediate weapons seizures by security forces. -- the UN, who doesn't want to confiscate guns --- 19 days until Talk Like a Pirate day
Re: Language settings score
On Thu, 31 Aug 2006, Paul Tenfjord wrote: In Norway there is strict law rules concerning sending spam, which in fact works very well. Therefor we have no Norwegian incoming spam. I was wondering if there is a feature that lowers the score for mails that is in the Norwegian language. language != source. A norwegian-language spam could easily originate outside Norway and not be subject to your laws. If you want to reduce score for that, I would suggest using a geographical test, such as an RBL lookup on norway.blackholes.us or a GeoIP test, with the desired negative points. -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It may be possible to start a programme of weapon registration as a first step towards the physical collection phase. ... Assurances must be provided, and met, that the process of registration will not lead to immediate weapons seizures by security forces. -- the UN, who doesn't want to confiscate guns --- 19 days until Talk Like a Pirate day
Please sanity check these ideas for rules.
I've got every ruleset blacklist available and I'm still getting buried - the bayes poison in all of the recent spam has wrecked that. Does anyone see a reason why I can't assume messages with blank subjects are junk? Also, I've got an idea about maybe doing an nslookup on the envelope sender domain and junking anything without an entry. I'm probably missing something that I should consider, especially on that last one. Would anyone care to educate me what I'm missing? Thanks! Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Re: Please sanity check these ideas for rules.
Michael W Cocke wrote: I've got every ruleset blacklist available and I'm still getting buried - the bayes poison in all of the recent spam has wrecked that. Does anyone see a reason why I can't assume messages with blank subjects are junk? Ask all my friends who regularly send me emails with empty subjects...? Also, I've got an idea about maybe doing an nslookup on the envelope sender domain and junking anything without an entry. This would better be done on SMTP level - every decent mailserver should have the possibility to do that - tough IMHO it's too harsh - often automatic mails from boards, website-autoreplys etc are being sent with some internal name of the server which does not resolve - but you probably still want to receive them. But I know people who block this tough I never would IMHO it might be better to analyze WHICH mails make it through and WHY and then find/write rules specificly for that content. On my system I rarely see a spam get through thanks to greylisting, antivirus, spamassassin with lots of rules and plugins Matt
Re: Please sanity check these ideas for rules.
Michael W Cocke [EMAIL PROTECTED] 08/31/06 12:55PM I've got every ruleset blacklist available and I'm still getting buried - the bayes poison in all of the recent spam has wrecked that. Does anyone see a reason why I can't assume messages with blank subjects are junk? Also, I've got an idea about maybe doing an nslookup on the envelope sender domain and junking anything without an entry. I'm probably missing something that I should consider, especially on that last one. Would anyone care to educate me what I'm missing? Thanks! Mike- == Well, if you don't have tech savvy users (or at least ones who don't know their email ettiquite, remember most end-users don't) they seem to frequently forget subjects. Add a point, maybe, but over your spam threshold...not a good idea in most cases. I'd approach it from the standpoint of why your SA isn't catching your spam. We get very few spam anymore since doing greylisting (OK, that has it's own issues, but allowing in spam isn't one of them!) + SA + many of the SARE rules. Rob
Re: Very big auto-whitelist file
On Thu, 2006-08-31 at 09:00, Stéphane LEPREVOST wrote: A little question about AWL : I have an auto_whitelist how looks VERY HUGE to me : -rw---1 root root 1241124864 Aug 31 17:51 auto-whitelist Do you think a 1.2 Gb AWL file is NORMAL ? I don't think so and plan to use check_whitelist tool to clean it, something like : check_whitelist --clean --min 2 Does it looks right for you ? I'm a bit afraid it might be a very long process because of it's size ... Any advice or information from someone who experienced it is welcome There's an additional tool to run after you run check_whitelist. It's called trim_whitelist, and it compacts the db file. I can't remember where I found it, but you should be able to google for it. It should reduce the size of your db file quite a bit. -Roger
Re: Please sanity check these ideas for rules.
On Thu, 31 Aug 2006, Michael W Cocke wrote: I've got every ruleset blacklist available and I'm still getting buried - the bayes poison in all of the recent spam has wrecked that. Does anyone see a reason why I can't assume messages with blank subjects are junk? maybe add a point for missing subject, but some automatically generated messages (print queue failure, etc) have blank subjects, and lots of nubies forget to add a subject. Also, I've got an idea about maybe doing an nslookup on the envelope sender domain and junking anything without an entry. Um, why aren't you already doing this at the SMTP-MTA level? Checking for a valid sender domain has been SOP for years. One caveat, do a temp-fail (451) not a hard-fail for domain lookup failure, occasionally DNS servers do get constipated. ;) I made that mistake once, several years ago, M$ had all their primary DNS servers on -one- subnet, had a router failure and they all went MIA. My MTAs started bouncing all hotmail. ;() -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
Re: source SENDER authentication ? (as opposed to SPF HOST authentication)
On Thu, 31 Aug 2006, Benny Pedersen wrote: On Wed, August 30, 2006 19:37, Michel Vaillancourt wrote: to carve it... you actually open an SMTP conversation with ... trap that 5xx return, and you know its a bogus sender. The plug-in adds 2 points to the score. Get a 250 Ok back, and you are likely safe... score 0. sendmail -bv [EMAIL PROTECTED] For a local recipient it may be worth something but for a remote address all it tells you is that your mail system knows how to find the remote host. EG: % /usr/sbin/sendmail -bv [EMAIL PROTECTED] [EMAIL PROTECTED] deliverable: mailer relay, host mail-msa.icaen.uiowa.edu, user [EMAIL PROTECTED] -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
RE: source SENDER authentication ? (as opposed to SPF HOST authentication)
On Wed, 30 Aug 2006, SM wrote: At 10:55 30-08-2006, Michael Grey wrote: I like Michel Vaillancourt's idea - if it has to be done. There are milters and MTAs that can do that. It's not a good idea as it can cause a denial of service. Also you risk getting blacklisted. When you run one of those critters your site looks like a hacker doing dictionary attacks. IE lots of probes with bogus names and fewer actual valid mail transfers. -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
Re: File mode set incorrectly
I know I don't need setting 0777 on them, and 0666 is fine for me. But for the auto_whitelist, I can't set to 0666, it only turns to 0640. Magnus Holmgren wrote: On Thursday 31 August 2006 14:30, Albert Poon took the opportunity to say: If so whats the point of these options? You might want to set group or others permissions differently depending on how you run SpamAssassin (per-user or global) and whether users have their own primary group or belong to a common group. There are many reasons, but there is no point in setting the executable bit of data files. Are you meaning its the design of the ports collection or SA itself? It has nothing to do with Ports; you can read about the options in the SA man pages (Mail::SpamAssassin::Conf(3pm) and Mail::SpamAssassin::Plugin::AWL(3pm)). -- Magnus Holmgren[EMAIL PROTECTED] (No Cc of list mail needed, thanks) -- View this message in context: http://www.nabble.com/File-mode-set-incorrectly-tf2194216.html#a6086556 Sent from the SpamAssassin - Users forum at Nabble.com.
Re: File mode set incorrectly
On Thu, Aug 31, 2006 at 12:32:37PM -0700, Albert Poon wrote: I know I don't need setting 0777 on them, and 0666 is fine for me. But for the auto_whitelist, I can't set to 0666, it only turns to 0640. What version are you running? There were some issues with AWL perms until it was fixed in 3.1.4. -- Randomly Generated Tagline: A low yield atomic bomb is like being a bit pregnant. pgpLDVRXjPLcp.pgp Description: PGP signature
Re: Very big auto-whitelist file
Roger Taranto wrote: There's an additional tool to run after you run check_whitelist. It's called trim_whitelist, and it compacts the db file. I can't remember where I found it, but you should be able to google for it. It should reduce the size of your db file quite a bit. That would be the ancient creaky tool I wrote ~2 years ago. g Make sure to read the notes and caveats regarding DB_File/AnyDBM_File. Google seems to have lost, or *very* heavily downrated, the direct link to the space I posted it (and a few other tools) to, so: http://www.deepnet.cx/~kdeugau/spamtools/ And I wrote it because of this exact problem of AWL files growing indefinitely... although I got worried around 5M instead of 1.2G. ;) -kgd
RE: Very big auto-whitelist file
Thanks Logan, it was a good idea to check the du -k : 696046 auto-whitelist Looks like the file is half used in fact... Regarding the volume, I have about 4 messages by day including spam, and if I remember well, I thing this file has never been cleared... Stephane -Message d'origine- De : Logan Shaw [mailto:[EMAIL PROTECTED] Envoyé : jeudi 31 août 2006 19:09 À : users@spamassassin.apache.org Objet : Re: Very big auto-whitelist file On Thu, 31 Aug 2006, Stéphane LEPREVOST wrote: A little question about AWL : I have an auto_whitelist how looks VERY HUGE to me : -rw---1 root root 1241124864 Aug 31 17:51 auto-whitelist Do you think a 1.2 Gb AWL file is NORMAL ? You might try typing du -k auto-whitelist. It could be a sparse file, and the amount of disk it's actually using isn't as large as what you think. It does seem a little large, but it's hard to tell. Mine is this size: -rw--- 1 root root 5234688 2006-08-31 12:04 auto-whitelist but then, I have a fairly low-volume site (less than 1000 messages a day, including spam) with not all that many users. - Logan
spamd and SQL
Hi list, Recently I faced a problem with my network where my e-mail servers couldn't contact my MySQL server. Because of that communication error, the incoming messages passed through without being scanned by spamd. Reading the sql/README I found the following information: While scanning a message if spamd is unable to connect to the server specified in user_scores_dsn or an error occurs when querying the SQL server then spam checking will not be performed on that message. That's a big problem because too many spams can enter my network while my MySQL server is down. Is there a way to change the spamd behavior to send a fatal error to spamc to cause spamc and the mail server to queue the message while the sql server is down? SPECS: SA version: 3.0.4 with RH 4 ES Thank you, Fábio Gomes
RE: Very big auto-whitelist file
Thanks Kris for this usefull tool, I'll try it tommorow (and thanks to Roger too who noticed the existence of your tool) As you noticed, I get worried very very very late... But in fact I wasn't in charge of spamassassin when we first saw this growth, that's why I'm back on the problem only now... I guess I'll pay more attention to this now ;D Stephane -Message d'origine- De : Kris Deugau [mailto:[EMAIL PROTECTED] Envoyé : jeudi 31 août 2006 21:58 À : users@spamassassin.apache.org Objet : Re: Very big auto-whitelist file Roger Taranto wrote: There's an additional tool to run after you run check_whitelist. It's called trim_whitelist, and it compacts the db file. I can't remember where I found it, but you should be able to google for it. It should reduce the size of your db file quite a bit. That would be the ancient creaky tool I wrote ~2 years ago. g Make sure to read the notes and caveats regarding DB_File/AnyDBM_File. Google seems to have lost, or *very* heavily downrated, the direct link to the space I posted it (and a few other tools) to, so: http://www.deepnet.cx/~kdeugau/spamtools/ And I wrote it because of this exact problem of AWL files growing indefinitely... although I got worried around 5M instead of 1.2G. ;) -kgd
Re: Please sanity check these ideas for rules.
I've got every ruleset blacklist available and I'm still getting buried - the bayes poison in all of the recent spam has wrecked that. Does anyone see a reason why I can't assume messages with blank subjects are junk? Also, I've got an idea about maybe doing an nslookup on the envelope sender domain and junking anything without an entry. I'm probably missing something that I should consider, especially on that last one. Would anyone care to educate me what I'm missing? Thanks! Mike- Hi, in fact your MTA could already reject (with some 5xx error) all mails that you would not be able to reply to: envelope sender domain does not exist (neither MX nor A) MX has a private ip (these should be standard features of your MTA) From domain does not exist SA would only see mails that pass these tests Wolfgang Hamann -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Re: Please sanity check these ideas for rules.
On 31 Aug 2006 20:39:47 -, you wrote: On Thu, 31 Aug 2006, Michael W Cocke wrote: I've got every ruleset blacklist available and I'm still getting buried - the bayes poison in all of the recent spam has wrecked that. Does anyone see a reason why I can't assume messages with blank subjects are junk? maybe add a point for missing subject, but some automatically generated messages (print queue failure, etc) have blank subjects, and lots of nubies forget to add a subject. That's exactly why I asked here - I didn't think of error essages. Thanks! Also, I've got an idea about maybe doing an nslookup on the envelope sender domain and junking anything without an entry. Um, why aren't you already doing this at the SMTP-MTA level? Checking for a valid sender domain has been SOP for years. I am, but not quite the way I'm thinking of doing it now. One caveat, do a temp-fail (451) not a hard-fail for domain lookup failure, occasionally DNS servers do get constipated. ;) I made that mistake once, several years ago, M$ had all their primary DNS servers on -one- subnet, had a router failure and they all went MIA. My MTAs started bouncing all hotmail. ;() LOL - can't say I'd miss hotmail, but I take your point. Thanks everyone. Mike- -- If you're not confused, you're not trying hard enough. -- Please note - Due to the intense volume of spam, we have installed site-wide spam filters at catherders.com. If email from you bounces, try non-HTML, non-encoded, non-attachments,
Re: Very big auto-whitelist file
Stéphane LEPREVOST wrote: As you noticed, I get worried very very very late... But in fact I wasn't in charge of spamassassin when we first saw this growth, that's why I'm back on the problem only now... I guess I'll pay more attention to this now ;D g It became a problem for me with a 10G hard drive in the server supporting ~250-300 accounts with 20M not-the-INBOX quotas. My *personal* server, where I've long had much more disk, far fewer accounts, and no quotas, has been less of a concern - but even there the AWL file has sort of levelled off at ~10M (still on SA2.64). -kgd
Re: Please sanity check these ideas for rules.
On Thu, 31 Aug 2006, David B Funk wrote: My MTAs started bouncing all hotmail. ;() This is a bad thing? :) -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It may be possible to start a programme of weapon registration as a first step towards the physical collection phase. ... Assurances must be provided, and met, that the process of registration will not lead to immediate weapons seizures by security forces. -- the UN, who doesn't want to confiscate guns --- 19 days until Talk Like a Pirate day
Spammed by Non-delivery-report? (someone is using my email to spam)
Hi Gurus, I am having so much trouble at present that some people are using my email address to send their spam messages, in return I get hundreds and hundres of non-delivery email + other misc reply such as out of office. How would I be able to use spamassassin to help me with this? would sa-learn be the most efficient way? I can think of using procmail to filter them into a seperate mailbox, but the mail headers all very random. Your help would be much appreciated. Cheers Christian
Re: Spammed by Non-delivery-report? (someone is using my email to spam)
On Fri, 1 Sep 2006, Christian Purnomo wrote: I am having so much trouble at present that some people are using my email address to send their spam messages, in return I get hundreds and hundres of non-delivery email + other misc reply such as out of office. The first thing you should consider, if you have control over the DNS for cpurn.net, is to publish an SPF record for your domain. It will cut down on the size of the problem somewhat. See http://www.openspf.org/ -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It may be possible to start a programme of weapon registration as a first step towards the physical collection phase. ... Assurances must be provided, and met, that the process of registration will not lead to immediate weapons seizures by security forces. -- the UN, who doesn't want to confiscate guns --- 19 days until Talk Like a Pirate day
Re: Spammed by Non-delivery-report? (someone is using my email to spam)
On 31-Aug-06, at 7:18 PM, Christian Purnomo wrote: Hi Gurus, I am having so much trouble at present that some people are using my email address to send their spam messages, in return I get hundreds and hundres of non-delivery email + other misc reply such as out of office. How would I be able to use spamassassin to help me with this? would sa-learn be the most efficient way? I can think of using procmail to filter them into a seperate mailbox, but the mail headers all very random. Your help would be much appreciated. Sorry, correction to URL. http://www.openspf.org -- Gino Cerullo Pixel Point Studios 21 Chesham Drive Toronto, ON M3M 1W6 416-247-7740 smime.p7s Description: S/MIME cryptographic signature
Re: Spammed by Non-delivery-report? (someone is using my email to spam)
John D. Hardin wrote: On Fri, 1 Sep 2006, Christian Purnomo wrote: I am having so much trouble at present that some people are using my email address to send their spam messages, in return I get hundreds and hundres of non-delivery email + other misc reply such as out of office. The first thing you should consider, if you have control over the DNS for cpurn.net, is to publish an SPF record for your domain. It will cut down on the size of the problem somewhat. See http://www.openspf.org/ If by somewhat you mean by one or two emails a day, you are correct. The admins running accept and bounce later servers are clueless and have probably never even heard of SPF. I'll just let you know that I know this for a fact because my personal domain was used about 6 month's ago by some spammer and I was getting millions of bounce backs a day (at the peak there were 500K an hour). I finally had to just shut the domain down for 2 months or so until it abated. It had SPF records from day one, with a hard fail. Good luck Christian, if you want some regex's to use to reject mail bounces I have a whack of them for use with qmail/simscan but they should be easily adaptable to other setups. Regards, Rick
The grey hats are at it in force
This is even better than the last one: http://194-144-135-77.du.xdsl.is/~ingi/.change/index.php?MfcISAPICommand=ChangeFPP -- Chris 19:05:21 up 14 days, 1:48, 1 user, load average: 0.18, 0.28, 0.35 pgpp50MUc7VqD.pgp Description: PGP signature
Re: The grey hats are at it in force
On 31-Aug-06, at 8:08 PM, Chris wrote: This is even better than the last one: http://194-144-135-77.du.xdsl.is/~ingi/.change/index.php? MfcISAPICommand=ChangeFPP Who are these masked avengers? ;-) -- Gino Cerullo Pixel Point Studios 21 Chesham Drive Toronto, ON M3M 1W6 416-247-7740 smime.p7s Description: S/MIME cryptographic signature
SpamAssassin Coach - Outlook/Thunderbird Plugin
Hi everyone, I've been working with SpamAssassin for the course of Google's Summer of Code to create 'SpamAssassin Coach' - an add-in available for Mozilla Thunderbird and Microsoft Outlook. The purpose of the add-in is to allow users to report spam and ham to SpamAssassin right from their inbox. Both add-ins are now functional, so I am asking for testers to provide feedback, bug reports and the like. If you would like to test an add-in, you can download SpamAssassin Coach from my SourceForge.net page at http://sourceforge.net/projects/soc2006spamd/. Feel free to add bug reports, feature requests or email me directly at willduff *AT* gmail.com. I hope that SpamAssassin Coach can grow to be an important tool for SpamAssassin users. Thanks for any help! For more information about SpamAssassin Coach, please refer to the following links: SourceForge.net Project: http://sourceforge.net/projects/soc2006spamd/ Google Summer of Code Application Info: http://code.google.com/soc/asf/appinfo.html?csaid=DF01D8A7A5E102D7 Thanks again, Will Duff
Re: Hacked E-Trade Phishing Site
On Wed, 30 Aug 2006, jdow wrote: From: Evan Platt [EMAIL PROTECTED] At 04:02 PM 8/30/2006, you wrote: Check at the top of this E-trade Phishing site: http://196.1.161.115/e/t/user/login/ I get it but I don't get it. I could understand if it was an image, but that's TEXT. Cluless phisher? 18:00:23 up 13 days, 43 min, 1 user, load average: 0.39, 0.34, 0.30 Must not be running a Windoze box eh? You did not read the very top line. {^_^} - did a wget and read the html. There is an interesting h1 line. And it appears most people will miss it. revisited it, the black-hat mostly fixed the grey-hat's damage. ;{ -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
Re: The grey hats are at it in force
On Thu, Aug 31, 2006 at 08:20:58PM -0400, Gino Cerullo wrote: On 31-Aug-06, at 8:08 PM, Chris wrote: This is even better than the last one: http://194-144-135-77.du.xdsl.is/~ingi/.change/index.php? MfcISAPICommand=ChangeFPP Who are these masked avengers? ;-) -- Gino Cerullo Pixel Point Studios 21 Chesham Drive Toronto, ON M3M 1W6 416-247-7740 I have, from time to time, alerted a network admin of a phishing page on a machine on his network. He may well have handled it directly. I would have. Cheers, -- Bob McClure, Jr. Bobcat Open Systems, Inc. [EMAIL PROTECTED] http://www.bobcatos.com Blessed is the nation whose God is the LORD. - Psalm 33:12 Righteousness exalts a nation. - Proverbs 14:34
Re: Hacked E-Trade Phishing Site
On Thursday 31 August 2006 7:54 pm, David B Funk wrote: On Wed, 30 Aug 2006, jdow wrote: From: Evan Platt [EMAIL PROTECTED] At 04:02 PM 8/30/2006, you wrote: Check at the top of this E-trade Phishing site: http://196.1.161.115/e/t/user/login/ I get it but I don't get it. I could understand if it was an image, but that's TEXT. Cluless phisher? 18:00:23 up 13 days, 43 min, 1 user, load average: 0.39, 0.34, 0.30 Must not be running a Windoze box eh? You did not read the very top line. {^_^} - did a wget and read the html. There is an interesting h1 line. And it appears most people will miss it. revisited it, the black-hat mostly fixed the grey-hat's damage. ; Maybe they'll start a black-hat/grey-hat war :) -- Chris 20:27:15 up 14 days, 3:10, 1 user, load average: 0.02, 0.17, 0.29 pgpPJ4zLS3G77.pgp Description: PGP signature
Re: SpamAssassin Coach - Outlook/Thunderbird Plugin
Will Duff wrote: Hi everyone, I've been working with SpamAssassin for the course of Google's Summer of Code to create 'SpamAssassin Coach' - an add-in available for Mozilla Thunderbird and Microsoft Outlook. The purpose of the add-in is to allow users to report spam and ham to SpamAssassin right from their inbox. Both add-ins are now functional, so I am asking for testers to provide feedback, bug reports and the like. If you would like to test an add-in, you can download SpamAssassin Coach from my SourceForge.net page at http://sourceforge.net/projects/soc2006spamd/. Feel free to add bug reports, feature requests or email me directly at willduff *AT* gmail.com. I hope that SpamAssassin Coach can grow to be an important tool for SpamAssassin users. Thanks for any help! Very nice, I really like the idea but I have two problems... 1) I can't find a readme or notes file 2) You should mention somewhere that the -l switch is needed to spamd (it's not mentioned in the Mail::SpamAssassin or Mail::SpamAssassin::Conf or the Wiki. I'll test it out over the next few days. Regards, Rick
RE: SpamAssassin Coach - Outlook/Thunderbird Plugin
-Original Message- From: Will Duff [mailto:[EMAIL PROTECTED] Sent: Thursday, August 31, 2006 8:10 PM To: users@spamassassin.apache.org Subject: SpamAssassin Coach - Outlook/Thunderbird Plugin Hi everyone, I've been working with SpamAssassin for the course of Google's Summer of Code to create 'SpamAssassin Coach' - an add-in available for Mozilla Thunderbird and Microsoft Outlook. The purpose of the add-in is to allow users to report spam and ham to SpamAssassin right from their inbox. Both add-ins are now functional, so I am asking for testers to provide feedback, bug reports and the like. If you would like to test an add-in, you can download SpamAssassin Coach from my SourceForge.net page at http://sourceforge.net/projects/soc2006spamd/. Feel free to add bug reports, feature requests or email me directly at willduff *AT* gmail.com. Interesting concept, and looks good as an alternative to the 'imap way'. (especially with sites that are running imap's without 'public folder' capabilities or only pop3) Since this is google/summer of code stuff, its licensed under BSD2.0, right? If someone wanted to add on to code, say to add 'whitelist sender', 'blacklist sender', and 'report spam', the sources will be published, right? One immediate concern I have is that the 'username' is spoofable,hackable, forgeable, and that is just on the TRUSTED internal side! Maybe a 'sa-coachd' that forces a check for a username/password, gee I guess it could be complicated. I think the 'report spam' option is supported by spamd, or does this version just affect the local Bayesian? As an example, the whitelist/blacklist sender would be implemented in the --add-addr-to-whitelist=addr Add addr to persistent address whitelist --add-addr-to-blacklist=addr Add addr to persistent address blacklist --remove-addr-from-whitelist=addr Remove addr from persistent address list Options, right? Or for some of us who use amavisd-new, maybe options for that? (we don't run spamd)
RE: SpamAssassin Coach - Outlook/Thunderbird Plugin
XP sp2, outlook 2002, sp2. Upon leaving outlook, get ok disconnection popup.