Re: Tom Van Overbeke is out of the office.
On Mon, 2 Oct 2006 01:16:00 +0200 [EMAIL PROTECTED] wrote: >On Mon, October 2, 2006 00:10, [EMAIL PROTECTED] wrote: >> I will be out of the office starting 29/09/2006 and will not return until >> 08/10/2006. > >this is usefull to know on maillists :-) >... Better than his last vacation where the junk went to each poster instead of the list: ... Subject: Tom Van Overbeke is out of the office. From: [EMAIL PROTECTED] To: List Mail User <[EMAIL PROTECTED]> Message-ID: <[EMAIL PROTECTED]> Date: Tue, 11 Apr 2006 08:28:09 +0200 ... I will be out of the office starting 06/04/2006 and will not return until 18/04/2006. I will respond to your message when I return. For urgent support issues, you can either send a mail to [EMAIL PROTECTED], or contact the central dispatch at (++32)/2 333 4000 Thank you. Paul Shupak [EMAIL PROTECTED]
Re: really slow spamd scan
On 10/2/06, Olivier Nicole <[EMAIL PROTECTED]> wrote: > > Are you using smapc/spamd or plain spamassassin? > it is spamc/spamd.. OK, so it should be fast enough. > > And I think there is a way to tell spamassassin to report what tests > > actually take some time to execute, so you can see where you are > > loosing time. > How can I do that? Read the manual :) I think I remember I once read something about it, but honnestly I have noanswer. Best regards, Olivier Thanks, Oliver.
SpamAssassin and bounced e-mails...
This may be more of a subject for sendmail or a sendmail milter, but I'll give it a shot here. I have been receiving bounced spam that go to user accounts that have never existed on my mail server (i.e. admin, sales, info, accounts, etc). Upon examining the header when I finally get the mailer daemon postmaster message they obviously get a high SpamAssassin score and a YES for the X-Spam-Status. I want to take anything that scores as spam by SpamAssassin to my domain(s) and quarantine it and not bounce it back as an unknown mailbox with a 550 error. It's going to eventually going to come back to me anyway. If SpamAssassin tags it as spam, it's an unknown box, chances are it is spam trying to get to the postmaster account. What I'm doing thus far is just running the bounced e-mail messages through procmail and having their entries added to relaydb (i.e. FreeBSD port of OpenBSD's relaydb). I want to skip the bounce step, wait for the bounced spam to come back and quarantine the messages so they can be added to relaydb if the message has a X-Spam-Flag is YES. I am going to migrate to amavisd as I have time to research. From what I understand amavisd can do both in and out bound e-mail filtering. I use another machine with fetchmail and procmail to pull folders with confirmed spam down to add entries to relaydb. I then upload the updated relaydb file to the mail server and run spamd-setup on it. -- View this message in context: http://www.nabble.com/SpamAssassin-and-bounced-e-mails...-tf2367804.html#a6596131 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Antdrug.cf - new home, and I'm changing email addreses..
Antidrug.cf now has a new home: http://mysite.verizon.net/mkettler_sa/antidrug.cf For now the old comcast site still works, and I've updated the file there to make note of where the file is now located. I've also added a note to the file warning that it is only for users of SA 2.6x or older. And finally, I'll be changing my email address to [EMAIL PROTECTED], effective almost immediately. (I'll still have access to the comcast one for now, but it is my intent to no longer make use of it, and discontinue it after a few weeks.)
Re: Tom Van Overbeke is out of the office.
On Mon, October 2, 2006 00:10, [EMAIL PROTECTED] wrote: > I will be out of the office starting 29/09/2006 and will not return until > 08/10/2006. this is usefull to know on maillists :-) -- "This message was sent using 100% recycled spam mails."
Re: spamassassin on an open relay
On Sunday 01 October 2006 06:39, Mike Kenny wrote: > Success in the sense that > spam is no longer entering our system. However it is still being > passed through. Well stop being an open relay and problem solved. I would have thought THAT would have been priority ONE! -- _ John Andersen
Re: spamassassin on an open relay
At 02:53 PM Sunday, 10/1/2006, Benny Pedersen wrote -=> On Sun, October 1, 2006 16:39, Mike Kenny wrote: > We can police this to some extent by identifying the users who are > originating the spam and adding them to a blacklist. in my 15 years with postfix this is still something i dream on :-) Which is why I love the access.db and sendmail. Ed . . . . . . . . . . . . . . . . . . Randomly Generated Quote (555 of 1090): I doubt, therefore I might be.
Tom Van Overbeke is out of the office.
I will be out of the office starting 29/09/2006 and will not return until 08/10/2006. I will respond to your message when I return. For urgent support issues, you can either send a mail to [EMAIL PROTECTED], or contact us by phone at (++32)/2 333 4000 Thank you.
Re: spamassassin on an open relay
On Sun, October 1, 2006 16:39, Mike Kenny wrote: > My first question is how do I configure postfix to send all outgoing > mail through amavis? http://www.postfix.org/docs.html more links ?, google for postfix amavisd-new howto > We can police this to some extent by identifying the users who are > originating the spam and adding them to a blacklist. in my 15 years with postfix this is still something i dream on :-) > But our problem is confounded by the large numer of 3G and GPRS users > that we support. then you are imho not a begginer :) > Many of these simply use our smtp server as an 'open relay' to > braodcast mail. setup smtp auth in postfix not needed if the users use vpn to your mailservers network > Our server is not really 'open' in that only user with > 3G/GPRS accounts can access it, but it is extremely difficult to > identify the source of the connection in real time. this is why smtpd auth is needed, if you setup pop-before-smtpd be awhere that you open relay for 256 ips at once !, so avoid it. the connecting ip to you could be nat router, this is why pop-before-smtp is not good > What I really want > to do is perform spam filtering on all mail that passes through our > relay, this will allow us to keep life simple for users (no > authentication beyond having a valid 3G/GPRS account) so send all mail to amavisd-new and have it learn both ham and spam > and yet prevent us from polluting the internet with spam. there is always a risk, but with postfix 2.3.x its more simple to trace the users, if its from your network > I am sure that it is > possible to configure postfix to do this and that it is just my lack > of experience in this field that is preventing me from seeing ths > solution. if you get stock with postfix, post a postconf -n somewhere :-) > Any pointers/tips/etc. gratefully considered. could be, lets take it from there -- "This message was sent using 100% recycled spam mails."
Re: Q. about spam directed towards highest MX Record?
On Fri, September 29, 2006 19:34, Jon Trulson wrote: > Hehe, that is an old spammer trick... Our secondary MX is > pretty much 100% spam. plan: 3 mta, 2 as mx backup open to all, 1 mta only open to YOUR own mx backups (firewalled) make 2 backup mx as dns round robin with one mx record, and the last with one mx to the mailserver now spammmers can play, hehe :-) -- "This message was sent using 100% recycled spam mails."
RE: spamassassin on an open relay
-Original Message- > From: Mike Kenny [mailto:[EMAIL PROTECTED] > Sent: Sunday, October 01, 2006 10:40 AM > To: users@spamassassin.apache.org > Subject: spamassassin on an open relay > > > Hi, > > I am fairly new to the email environment (at least to the > administration of it). I have recently inherited an email > system that has developed a somewhat unfavourable reputation > with some of the anti-spam sites. I have been trying to > address this through the use of spamassassin and amavis with > some success. Success in the sense that spam is no longer > entering our system. However it is still being passed through. > But our problem is confounded by the large numer of 3G and > GPRS users that we support. Many of these simply use our smtp > server as an 'open relay' to braodcast mail. Our server is > not really 'open' in that only user with 3G/GPRS accounts can > access it, but it is extremely difficult to identify the > source of the connection in real time. What I really want to Spamassassin is not designed to block unauthorized us of your resources. By you running an open server, you have attracted spammers. These spammers have abused your system, and your legitimate users are suffering. But don't worry, sooner or later the legitimate users will go away, and you won't need a mail server. Close your relay. Only allow authorized users to relay. Its up to you to decide what method works for you, pop b4 auth, sasl, etc. That's is. THAN you can start to decide when, how and where you want to pass through spamassassin. (spamassassin is not the right forum to help you close your relay. Ask in the postfix forum)
September Origination Summary
The usual caveat: I have no idea how representative our data is. Most notable trends (IMO): 1. A considerable reduction in spam from Poland. While still much higher than it was six months ago, it looks like the miscreants had their run which resulted in increased filtering and many have moved along to other areas. 2. It looks like they have moved back the to the USA which is now origination close to 30% of the spam that we see. That's an increase from 18% in August. I attribute this to a proliferation of new bots and exploits. WHEN will Verizon, Comcast, RoadKill and Charter block 25 out? WHEN? 3. The South Korean share is almost doubled from August and back where it was in July. The PRC share has reduced a tad. 4. Proportionate to spam origination, Brazil has a commanding lead in removal requests. Someone named "Fabio" seems to be the administrator of every server in Brazil. He has an odd attraction to the submission button on the removal form resulting in multiple submissions on almost every request. We recently prevented this in the script code but he's still trying. -- Our DNSRBL - Eliminate Spam at the Source: http://www.TQMcube.com Don't Subsidize Criminals: http://boulderpledge.org
Re: sa-learn and "Caught" spams
--As of September 28, 2006 11:05:35 AM -0700, Kelson is alleged to have said: Daniel Staal wrote: Depends on the setup. For instance, given the explanations above, I'll start a system to automatically learn from my 'checkspam' folder, but not my 'highspam' folder. I have procmail automatically sort my spam by score, so I can pay extra attention to low-scoring spam. (Which is more likely to be ham which was misplaced than the high-scoring spam.) So, since I *already* have them separated out, I can avoid the double-check. ;) But the final score alone doesn't determine whether something gets autolearned. As Matt pointed out, there are a number of different factors, including the mix of head/body tests and the current Bayes score -- and it acts on what the score would have been if Bayes had been disabled. So unless you've filtered on the "autolearn=(ham|spam|no)" tag in the X-Spam-Status header, you could be missing some high-scoring spam that hasn't already been learned. You could probably filter your training folder to remove any messages where X-Spam-Status contains "autolearn=spam" (assuming, of course, that your server takes full control of that header). That should be relatively fast and cut down on the resources used to identify duplicates. --As for the rest, it is mine. Just as an update, since I'm seeing something interesting... As an experiment, I set procmail to copy all the 'highspam' that I get that *doesn't* get autolearned to a separate folder, and have been attempting to train on that folder daily. I say 'attempting' because despite these *only* being the emails that had 'autolearn=no' and were definitely spam, in three days sa-learn has yet to see any useful tokens in one of these messages. Generally, upon examination, these messages already are receiving bayes scores of 99% or better, so it appears that the tokens found are already fully scored. (Though not all of them have had such high bayes scores.) I'll be keeping it up for a while; three days isn't much of a test, after all. But at this point it appears extra training on messages with scores over 10 (my high-spam cut-off) doesn't actually do anything. All relevant tokens are already learned, at least in a fully-trained and well-tuned system. Spam emails scored less than 10 do have a number of messages each day that have useful tokens, on my system. Which is to be expected, after all. Just thought this might be of interest. Daniel T. Staal --- This email copyright the author. Unless otherwise noted, you are expressly allowed to retransmit, quote, or otherwise use the contents for non-commercial purposes. This copyright will expire 5 years after the author's death, or in 30 years, whichever is longer, unless such a period is in excess of local copyright law. ---
Re: TQMcube Geo Zone config files
On Sat, 30 Sep 2006 19:10:01 +0200, Andreas Pettersson <[EMAIL PROTECTED]> opined: > Andreas Pettersson wrote: > > > In case anybody is interrested, I've compiled a config file for > > the geo zone at TQM http://tqmcube.com/worldzone.php > > It might not be of great use, but it is interresting to gather > > some statistics of where the mails come from. > > > > Files found here > > http://anp.ath.cx/tqmcube/ > > > I have updated tqmcube_world.cf with the -lastexternal setting on > the set name, so that only the connecting IP address is checked > instead of the whole chain of relays. > This zone is a prioritized TODO in October. Everyone had been working almost exclusively on the new Help Desk implementation for removals as well as the Removal Ticket Tracking Portal (web interface). If anyone has any requests or suggestion on the geo project, please use the contact form. We appreciate all input. -- Our DNSRBL - Eliminate Spam at the Source: http://www.TQMcube.com Don't Subsidize Criminals: http://boulderpledge.org
Re: TQMcube Geo Zone config files
On Sat, September 30, 2006 19:10, Andreas Pettersson wrote: >> http://anp.ath.cx/tqmcube/ > > I have updated tqmcube_world.cf with the -lastexternal setting on the > set name, so that only the connecting IP address is checked instead of > the whole chain of relays. now spammers just forward to another mta with is listed, and you dont care now :) what i do is put ALL my known ips for forwarding mta in my trusted network, it give more then to put lastexternal in tqmcube -- "This message was sent using 100% recycled spam mails."
spamassassin on an open relay
Hi, I am fairly new to the email environment (at least to the administration of it). I have recently inherited an email system that has developed a somewhat unfavourable reputation with some of the anti-spam sites. I have been trying to address this through the use of spamassassin and amavis with some success. Success in the sense that spam is no longer entering our system. However it is still being passed through. My first question is how do I configure postfix to send all outgoing mail through amavis? We can police this to some extent by identifying the users who are originating the spam and adding them to a blacklist. But our problem is confounded by the large numer of 3G and GPRS users that we support. Many of these simply use our smtp server as an 'open relay' to braodcast mail. Our server is not really 'open' in that only user with 3G/GPRS accounts can access it, but it is extremely difficult to identify the source of the connection in real time. What I really want to do is perform spam filtering on all mail that passes through our relay, this will allow us to keep life simple for users (no authentication beyond having a valid 3G/GPRS account) and yet prevent us from polluting the internet with spam. I am sure that it is possible to configure postfix to do this and that it is just my lack of experience in this field that is preventing me from seeing ths solution. Any pointers/tips/etc. gratefully considered. TIA mike
Re: SA gone mad, times out and stucks
Andreas Pettersson wrote: > Jürgen Herz wrote: > >>What I still get and not understand is >>warn: bayes: cannot open bayes databases /var/spool/exim4/.spamassa >>ssin/bayes_* R/W: lock failed: File exists >> >> > > Make sure the file permissions hasn't changed when you ran the manual > expire. It hasn't and as I wrote, I got that error before. But that's the smaller problem - again. Since tonight I get the timeout again on each message when auto expiring old tokens. :-( What I don't get is the following: I'm running SA for four months now, but that expire timeout I first saw two weeks ago. The timeout is at 300 secs but expiring manually takes twice as long. Shouldn't the time to expire grow linear with growing bayes db? And shouldn't I have seen those timeouts much more early - since time for expiring was everything > 300 secs? Also is eleven minutes normal for such a small db? I know that machine isn't the fastest (300 MHz PPC) but shouldn't it nevertheless be sufficient? sa-learn --dump magic 0.0000 30 non-token data: bayes db version 0.0000 21810 non-token data: nspam 0.0000 14300 non-token data: nham 0.0000 1760040 non-token data: ntokens 0.0000 11484669090 non-token data: oldest atime 0.0000 11597038770 non-token data: newest atime 0.0000 11597038800 non-token data: last journal sync atime 0.0000 11595778590 non-token data: last expiry atime 0.0000 110592000 non-token data: last expire atime delta 0.0000 55950 non-token data: last expire reduction count sa-learn --force-expire bayes: synced databases from journal in 0 seconds: 138 unique entries (138 total entries) expired old bayes database entries in 579 seconds 174731 entries kept, 1273 deleted token frequency: 1-occurrence tokens: 67.92% token frequency: less than 8 occurrences: 24.63% And since I still don't know more about them, are those many huge files like bayes_toks.expire16081 normal? Thanks, Jürgen