Re: What's with UCEPROTECT List?
Matt Kettler wrote: I know who Marc is.. I first met him when I was subscribed to sa-dev a long time ago and tried to defend him in a flame war back in July 2002. (strangely, the dev-list member arguing strongest against Marc's idea was actually a contributor in the process of implementing that exact idea. But he still swore Marc's idea was a bad one doomed to ruin SA, largely because he mis-understood the context and pretty much refused to read it the right way. I haven't seen him on the lists in 3 years now, and he seems to be involved with bogofilter instead.) I'm also quite aware Marc appears in the SA credits under Major Contributions, just as I do (I've changed ISPs, but I'm still Matt Kettler) That said, I don't think anyone, no matter how innocent or how much of an anti-spam crusader, deserves to be provided such information to circumvent an RBL unless it is provided by the RBL's owner. (in which case, they'd probably just add a bit of code to keep him out). I'd say the same to Justin Mason, Theo, or anyone else in the CREDITS file, no matter how close to the top they appear. Whether you like a RBL's listing policies or not, nobody should ever try to undermine a RBLs operation like that. They have a listing policy, and they're operating according to it. Outing someone else's spamtraps to anyone is a pretty serious breach of trust, especially if you're doing so to interfere with the RBL operating according to its listing policies. Even if it is to one person who is strongly anti-spam and the RBL has slightly over-strict listing policies. I may have my disputes with various RBLs, URIBLs, etc.. but I'd never do something like out their spamtraps unless I strongly felt the existence of RBL itself was contrary to the best interest of the Internet as a whole and the RBL needed to be shut down. i.e. if a spam gang ever created a RBL that listed only the IPs of those engaging in anti-spam efforts, I'd feel free to publicly publish as much information about their information gathering tactics as possible. But baring that.. Like I said.. Sorry Marc, I like ya, but... Well - if they get it wrong and won't fix it and they are causing my good emails to bounce for 2500 domains, what am I supposed to do?
Re: What's with UCEPROTECT List?
Marc Perkel wrote: Well - if they get it wrong and won't fix it and they are causing my good emails to bounce for 2500 domains, what am I supposed to do? Well, Do they in fact have it wrong? If their listing criteria considers sender verification to be mail abuse, well, you fit their listing criteria. I don't agree with it, and I doubt many here do, but that is apparently their policy. Their website very clearly explains that sender verification IS a part of their listing criteria: http://www.uceprotect.net/en/index.php?m=10s=13 They do in fact appear to have it right. Your system does in fact belong on this RBL. Like it or not, your system is a verifier, and this list categorizes them as abusers. While I'd agree with you it makes their RBL largely useless for spam control, they are at least acting exactly in accordance with their stated policy. Either way, trying to evade their spamtraps is kinda pointless. They appear to harvest from most of their commercial product users, so it's not likely just one or two domains.
Installation Problem !!
First step I made rpm with the command rpmbild –tb Mail-SpamAssassin-3.1.7.tar.gz” end I get this two files: -rw-r--r-- 1 root root 675943 Oct 16 11:21 perl-Mail-SpamAssassin-3.1.7-.i5 -rw-r--r-- 1 root root 180929 Oct 16 11:21 spamassassin-3.1.7-1.i586.rpm whit the first no problem with the second linux: rpm -i spamassassin-3.1.7-1.i586.rpm spamassassin 0:off 1:off 2:off 3:on 4:off 5:on 6:off /var/tmp/rpm-tmp.22739: line 13: /sbin/service: No such file or directory error: %post(spamassassin-3.1.7-1) scriptlet failed, exit status 127 I don't know where is the problem or what it need ? /sbin/service is a folder or a file ? I tray to make bat the error changed in “/sbin/service: is a directory” for this I think that service is a file but -- View this message in context: http://www.nabble.com/Installation-Problem-%21%21-tf2457550.html#a6849458 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
How to detect this spam..
Hello.. I have received lots of spam mails like below... S B N S.P K IS BLOWING UP ON HEAVY PR CAMPAIGNS! WATCH S B N S.P K TRADE ON TUESDAY OCTOBER 17! So I would like to make a rule to detect spam which use blank for each characters(over 3 characters) like below.. S(blank) B(blank) N(blank) Anyone who can make this rule? Thanks... _ 고.. 감.. 도.. 사.. 랑.. 만.. 들.. 기.. MSN 러브 http://www.msn.co.kr/love/
RBL checks not working
I'm having a hard time getting RBL checks to work right. I don't have
anything in my local config files regarding RBLs. I'm using
SpamAssassin 3.1.5. Here is some debugging output, trimmed for
brevity:
dbg: generic: SpamAssassin version 3.1.5
dbg: config: score set 0 chosen.
dbg: util: running in taint mode? yes
dbg: util: taint mode: deleting unsafe environment variables, resetting PATH
dbg: util: final PATH set to:
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
dbg: dns: is Net::DNS::Resolver available? yes
dbg: dns: Net::DNS version: 0.59
dbg: config: using /etc/mail/spamassassin for site rules pre files
dbg: config: read file /usr/local/share/spamassassin/20_dnsbl_tests.cf
dbg: plugin: loading Mail::SpamAssassin::Plugin::SpamCop from @INC
dbg: reporter: network tests on, attempting SpamCop
dbg: plugin: registered Mail::SpamAssassin::Plugin::SpamCop=HASH(0x93ae3f4)
dbg: dns: checking RBL bl.spamcop.net., set spamcop
dbg: dns: IPs found: full-external: 201.139.53.111, 70.84.192.18 untrusted:
201.139.53.111, 70.84.192.18 originating:
dbg: dns: only inspecting the following IPs: 70.84.192.18, 201.139.53.111
dbg: dns: launching DNS TXT query for 18.192.84.70.bl.spamcop.net. in background
dbg: dns: launching DNS TXT query for 111.53.139.201.bl.spamcop.net. in
background
dbg: dns: success for 18 of 18 queries
dbg: check: tests=SPF_HELO_SOFTFAIL,SPF_SOFTFAIL
dbg: check:
subtests=__CT,__CTE,__CTYPE_CHARSET_QUOTED,__CT_TEXT_PLAIN,__HAS_MIMEOLE,__HAS_MSGID,__HAS_MSMAIL_PRI,__HAS_OUTLOOK_IN_MAILER,__HAS_RCVD,__HAS_SUBJECT,__HAS_X_MAILER,__HAS_X_PRIORITY,__MIMEOLE_MS,__MIME_VERSION,__MSGID_DOLLARS_MAYBE,__MSGID_DOLLARS_OK,__MSGID_OK_HEX,__MSGID_OK_HOST,__MSGID_RANDY,__NONEMPTY_BODY,__OE_MSGID_2,__SANE_MSGID,__TOCC_EXISTS
The host 201.139.53.111 is listed by SpamCop at the time of this
writing.
It looks like DNS is working fine (dns: success for 18 of 18 queries), but
using dig, it is clear to see that it should be triggering the SpamCop rule.
# dig 111.53.139.201.bl.spamcop.net
; DiG 9.2.4 111.53.139.201.bl.spamcop.net
;; global options: printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 65060
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 8, ADDITIONAL: 8
;; QUESTION SECTION:
;111.53.139.201.bl.spamcop.net. IN A
;; ANSWER SECTION:
111.53.139.201.bl.spamcop.net. 2100 IN A 127.0.0.2
Here are the SpamCop lines in my stock config files:
/usr/local/share/spamassassin/20_dnsbl_tests.cf:header RCVD_IN_BL_SPAMCOP_NET
eval:check_rbl_txt('spamcop', 'bl.spamcop.net.', '(?i:spamcop)')
/usr/local/share/spamassassin/50_scores.cf:score RCVD_IN_BL_SPAMCOP_NET 0 1.332
0 1.558
Any clues?
Re: RBL checks not working
On Tue, Oct 17, 2006 at 02:33:10AM -0500, Dan Fulbright wrote: I'm having a hard time getting RBL checks to work right. I don't have anything in my local config files regarding RBLs. I'm using SpamAssassin 3.1.5. Here is some debugging output, trimmed for brevity: Do you have multiple DNS servers listed in your resolv.conf? Is the first one not working, or is it an IPv6 address? In the past I've had problems with the Net::DNS::Resolver parallel resolution that SA uses when the first listed server was not up and running, even though dig and other DNS resolution would work properly. -- Clifton -- Clifton Royston -- [EMAIL PROTECTED] / [EMAIL PROTECTED] President - I and I Computing * http://www.iandicomputing.com/ Custom programming, network design, systems and network consulting services
Re: Spamd not killing children
* Chris Lear wrote (16/10/06 10:32): The problem I'm having is that spamd doesn't seem to be able to clean up unwanted idle child processes. [...] I've had a look in the spamd code, and I'm now wondering whether my problem is related to logging bugs (eg http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4237). I've set logrotate to restart spamd after syslog restarts as per the advice in http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4316. Hopefully this will fix it. I'm still unsure whether this is a spamd bug or not. Chris
R: What's with UCEPROTECT List?
Well - if they get it wrong and won't fix it and they are causing my good emails to bounce for 2500 domains, what am I supposed to do? Well, Do they in fact have it wrong? If their listing criteria considers sender verification to be mail abuse, well, you fit their listing criteria. I don't agree with it, and I doubt many here do, but that is apparently their policy. I'm not that confident with people that wakes up in a morning and decides that a technic is wrong irregardless of the good uses it may have. Also, some of the assertions in the UCEPROTECT's site may be regarded as being even false or misleading, like the one saing that theirs is the only effective method to block spam. It is misleading: they may easily stop a lot of good senders in the way to block spam. And it is false: to my knowledge, the most effective method to block spam is shurely to shut the mail server down... That said, Marc, if some technically unskilled customer bought their services and you need to have your mail accepted by its servers, the fastest way I see is to adjust to UCEPROTECT's rules. Then, eventually, you may try to convince your peer that UCEPROTECT's services are based on insane policies. Why don't you dismiss sender verification and move toward greylisting? I think it could be effective as much as sender verification is. --- Giampaolo Tomassoni - IT Consultant Piazza VIII Aprile 1948, 4 I-53044 Chiusi (SI) - Italy Ph: +39-0578-21100
rulesemporium.com expired
Guys someone forgot to renew the rulesemporium.com name - better get in there quick.. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
RE: false positive on citibank e-mail
Jo Rhett wrote: I'm sorry, apparently I wasn't technical enough. Yes, I can read. And I already opened up and looked at the rule, and I can't figure out why it failed. Please skip the duh answers. There's enough people on here that need that level of answer, you can't really blame me for starting there. Rule #1 of troubleshooting -- start with the simplest explanation, and work your way up. And god no, I never use 5 as the tag level. Hell, I run 2.9 on a number of my accounts... Don't try to make something that is an adjustable user policy into a Don't Change This. I wasn't. I run 3.5 myself. Just pointing out that the rules are optimized for 5, and your false positive scored 4-ish. That's not the RCVD_CITIBNK rule I'm using. Apologies. I should have made sure I was looking at the most updated version.
Re: How to disable autolearn for FuzzyOcr?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 16 Oct 2006 15:16:19 -0400 (EDT), Daniel T. Staal wrote: On Mon, October 16, 2006 3:07 pm, Marc Perkel said: What need to be done with messages that are spam is to only learn the headers and not the body of the message. What needs to be done is some detection of deliberate bayes poisoning and removal of the poison before larning. In all honesty: Why? Bayes, by design, handles that by learning any of the words that are preferentially in spam or ham, and tossing the rest. It is highly unlikely that their attempts at poisoning the database are going to do anything other than give them a *higher* spam score, and not affecting your ham much or at all. Even if you could decide which words would be bayes-poison, it would vary by each email and each user/database. Ignore it. Let Bayes do what it is supposed to do. The only thing I've seen that is at all effective against SA's Bayes implementation is empty messages. Which are pretty useless, and screenable with other rules. Daniel T. Staal After a week of running FuzzyOCR I have to agree. I take back my original query :-) Everything seems to be perfectly fine with Bayes. Processing some 100k messages a day. Frank Bures, Dept. of Chemistry, University of Toronto, M5S 3H6 [EMAIL PROTECTED] http://www.chem.utoronto.ca PGP public key: http://pgp.mit.edu:11371/pks/lookup?op=indexsearch=Frank+Bures -BEGIN PGP SIGNATURE- Version: PGPfreeware 5.0 OS/2 for non-commercial use Comment: PGP 5.0 for OS/2 Charset: cp850 wj8DBQFFNMmrih0Xdz1+w+wRAjGXAJsErRRwkrV9OSDUo8QkrKVYJUtIugCfbolD v+79zSpDu27WPsxtD0ohHqs= =cVPK -END PGP SIGNATURE-
RE: ALL_TRUSTED creating a problem
Jo Rhett wrote: Matt Kettler wrote: Jo Rhett wrote: You're still babbling about NAT. I could care less about NAT. All trusted breaks for EVERYONE, and EVERYONE ends up hardcoding trusted_networks because auto detection is completely and utterly broken. Fine.. We'll ignore NAT. It's not your problem, I get it. YOUR network is broken because YOUR network doesn't add Received: headers before calling SA.. That's not EVERYONE, that's YOU. Get your tools to add a local Received: header before you call SA, the auto-detection code will start working. After all, if you haven't Received: the message yet, how'd it get to SA? Do your really expect SA to work on a message that doesn't even appear to have been delivered to your domain yet? As mentioned in my previous message, I have dozens of messages here that have as many as 12 received headers. So perhaps I didn't get the Received header that will be added by this host. What kind of logic says that it should trust a remote IP from a very random source that isn't authenticated by a local header? Here's one from last week, before I disabled auto detection. Received: from elasmtp-spurfowl.atl.sa.earthlink.net (elasmtp-spurfowl.atl.sa.earthlink.net [209.86.89.66]) by triceratops.lizardarts.com (8.13.8/8.13.8) with ESMTP id k972fkHF066354 for [EMAIL PROTECTED]; Fri, 6 Oct 2006 19:41:46 -0700 (PDT) (envelope-from [EMAIL PROTECTED]) Received: from [66.32.20.12] (helo=[66.32.20.12]) by elasmtp-spurfowl.atl.sa.earthlink.net with asmtp (Exim 4.34) id 1GW28H-0003Bs-QM for [EMAIL PROTECTED]; Fri, 06 Oct 2006 22:41:45 -0400 X-Spam-Status: No, score=2.741 tagged_above=-1.99 required=4.01 tests=[ALL_TRUSTED=-1.44, DNS_FROM_RFC_ABUSE=0.479, HTML_MESSAGE=0.001, RCVD_IN_NJABL_DUL=1.713, RCVD_IN_SORBS_DUL=1.988] Now, in this case it's from my mother and valid, but it shows the problem. Why is an earthlink host trusted? Even if this problem with not having amavisd-milter insert a forged Received header into the message for SA to read, then it means that the only Received header to read would be Received: from [66.32.20.12] (helo=[66.32.20.12]) by elasmtp-spurfowl.atl.sa.earthlink.net with asmtp (Exim 4.34) id 1GW28H-0003Bs-QM for [EMAIL PROTECTED]; Fri, 06 Oct 2006 22:41:45 -0400 So... why are we trusting 66.32.20.12 ? Really? Unless you specify it in the configuration, SA has no idea what servers are local for you. In this case, it has to make a guess so it makes the (fairly reasonable) assumption that the most recent received header comes from a local MX. -- Bowie
Re: improving the sa-update process
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Mon, 16 Oct 2006 21:56:36 -0400, Daryl C. W. O'Shea wrote: Jo Rhett wrote: Daryl C. W. O'Shea wrote: For now, running an sa-update, then a spamassassin --lint, and then restarting is pretty safe though. sa-update [whatever] spamassassin --lint whatever-to-restart I've been having some issues with the restarts, and when that happens mail is down. I'd say that's an issue of it's own, regardless of what sa-update does. I'm kindof hoping that there will be some way to get SA to re-read the rules *WITHOUT* restarting the process. You can SIGHUP the parent. It's nearly as heavy weight but should avoid problems with the socket not being released in time for the new process to get it -- which sometimes happen when stopping then starting it in a rc script / whatever. Or you can check that spamassassin is running after restart and if not, start it again. Also you can check that there actually was an update before doing the restart in the first place. Works for me :-) Frank Bures, Dept. of Chemistry, University of Toronto, M5S 3H6 [EMAIL PROTECTED] http://www.chem.utoronto.ca PGP public key: http://pgp.mit.edu:11371/pks/lookup?op=indexsearch=Frank+Bures -BEGIN PGP SIGNATURE- Version: PGPfreeware 5.0 OS/2 for non-commercial use Comment: PGP 5.0 for OS/2 Charset: cp850 wj8DBQFFNMwzih0Xdz1+w+wRAtOnAKD6Rt+Q4Q/2af6T0jlt0mEjWsTEJACgs93b wHHnHTKAoN9X/AnQWSfx68Y= =5bgK -END PGP SIGNATURE-
Re: How to detect this spam..
Monty Ree wrote:
Hello..
I have received lots of spam mails like below...
S B N S.P K IS BLOWING UP ON HEAVY PR CAMPAIGNS!
WATCH S B N S.P K TRADE ON TUESDAY OCTOBER 17!
So I would like to make a rule to detect spam which use blank for each
characters(over 3 characters) like below..
S(blank) B(blank) N(blank)
Anyone who can make this rule?
Here's the regex that would do it. I've also made it caps-specific to
try to avoid FP cases. It may still FP on some text message style
abbreviated text, but I can't think of one off the top of my head that
would hit. But things like Hi R U Mike come pretty close.
/(?:[A-Z] ){3}/
Re: ALL_TRUSTED creating a problem
Jo Rhett wrote: Matt Kettler wrote: Jo Rhett wrote: You're still babbling about NAT. I could care less about NAT. All trusted breaks for EVERYONE, and EVERYONE ends up hardcoding trusted_networks because auto detection is completely and utterly broken. Fine.. We'll ignore NAT. It's not your problem, I get it. YOUR network is broken because YOUR network doesn't add Received: headers before calling SA.. That's not EVERYONE, that's YOU. Get your tools to add a local Received: header before you call SA, the auto-detection code will start working. After all, if you haven't Received: the message yet, how'd it get to SA? Do your really expect SA to work on a message that doesn't even appear to have been delivered to your domain yet? As mentioned in my previous message, I have dozens of messages here that have as many as 12 received headers. Yes, but none are LOCAL. So perhaps I didn't get the Received header that will be added by this host. Yeah, so how did it get to SA? That's the problem. How can SA be scanning it, if it hasn't reached this host yet? What kind of logic says that it should trust a remote IP from a very random source that isn't authenticated by a local header? Because it's equally absurd to assume that the most recent header isn't local.
Re: How to filter these spam messages
Gary V wrote: uri GEOCITIES /^http:\/\/(..|www)\.geocities\.com\/+.+/i describe GEOCITIES Geocities URL scoreGEOCITIES 3.5 FWIW, if you process large quantities of mail, scoring on just the Geocities URI itself *will* cause a significant number of false positives even at scores as low as 2.0. Not to tout my own horn, but I know of people scanning 2-3 million messages a day using my WebRedirect plugin to catch Geocities and similar spam with much success. If you can afford the HTTP queries against the free web host URIs you might want to consider using it instead. Daryl SA does not process a lot of mail, so I can easily afford it. Thanks for the tip. I'll give it a try. Gary V _ Add a Yahoo! contact to Windows Live Messenger for a chance to win a free trip! http://www.imagine-windowslive.com/minisites/yahoo/default.aspx?locale=en-ushmtagline
RE: rulesemporium.com expired
Title: RE: rulesemporium.com expired Trying to get resolved now. Posting it to the SATALK list might not have been the best idea! --Chris -Original Message- From: Martin Hepworth [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 17, 2006 6:58 AM To: SpamAssassin Users Subject: rulesemporium.com expired Guys someone forgot to renew the rulesemporium.com name - better get in there quick.. -- Martin Hepworth Senior Systems Administrator Solid State Logic Tel: +44 (0)1865 842300 ** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This footnote confirms that this email message has been swept for the presence of computer viruses and is believed to be clean. **
This image is turning frequent..
This type of image spam is getting more common, and is not detected.. At least not here.. -- Anders Norrbring Norrbring Consulting smime.p7s Description: S/MIME Cryptographic Signature
RE: [Sare-users] ImageInfo.pm and config files
From where do I obtain imageinfo.cf?
Warm Regards,
Suhas
System Admin
QualiSpace - A QuantumPages Enterprise
===
Tel India: +91 (22) 6792 - 1480
Tel US: +1 (614) 827 - 1224
Fax India: +91 (22) 2530 - 3166
URL: http://www.qualispace.com
===
For Any Technical Query Please Use: http://helpdesk.qualispace.com
QualiSpace Community Discussion forum: http://forum.qualispace.com
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Dallas Engelken
Sent: Tuesday, October 17, 2006 7:27 PM
To: This list is for discussion of SpamAssassin rules emporium.
Subject: Re: [Sare-users] ImageInfo.pm and config files
Kevin Golding wrote:
In article [EMAIL PROTECTED], Dallas Engelken
[EMAIL PROTECTED] writes
i believe someone provided the details for making it work on 3.0.x a
while back on this list. i cant find the damn email now. maybe they
will chime in.
or maybe Doc can take a look at the archive? It was sometime in
August.. maybe september.
I'm neither Doc or Moses but
In article [EMAIL PROTECTED]
, Moses Moore [EMAIL PROTECTED] writes
I'm using spamassassin v3.0.4 (comes with Fedora Core 4) and I had to
make the following changes:
in ImageInfo.pm:
remove the use Mail::SpamAssassin::Logger line
add sub dbg { Mail::SpamAssassin::dbg (@_); } before the last line.
in imageinfo.cf:
parameters for the eval:xxx() subroutines must be quoted.
body __GIF_ATTACH_1eval:image_count('gif','1','1')
body __GIF_ATTACH_4P eval:image_count('gif','4')
body __GIF_AREA_180K eval:pixel_coverage('gif','18','40')
body __PNG_ATTACH_1eval:image_count('png','1','1')
body __PNG_ATTACH_4P eval:image_count('png','4')
body __PNG_AREA_180K eval:pixel_coverage('png','18','40')
... after this, it works as advertised. The OCR plugin can be defeated by
partitioning the image into smaller and smaller jigsaw-pieces, but the
pixel_coverage() routine can measure the size of the total image area.
This,
in concert with other rules, will really help. Well done, Mr. Engelken.
I'd have to agree. ImageInfo is still catching a lot of these things
without adding the overhead of OCR. Good work indeed.
Thanks for finding that!
--
Dallas Engelken
[EMAIL PROTECTED]
http://uribl.com
___
This is being sent to: [EMAIL PROTECTED]
Sare-users mailing list
[EMAIL PROTECTED]
http://lists.maddoc.net/mailman/listinfo/sare-users
RE: This image is turning frequent..
Title: RE: This image is turning frequent.. This type of image spam is getting more common, and is not detected.. At least not here.. A solution is on its way :) Stay tuned.. Might be end of day. Thanks, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com
RE: This image is turning frequent..
Even I am getting lot of those. Warm Regards, Suhas System Admin QualiSpace - A QuantumPages Enterprise === Tel India: +91 (22) 6792 - 1480 Tel US: +1 (614) 827 - 1224 Fax India: +91 (22) 2530 - 3166 URL: http://www.qualispace.com === For Any Technical Query Please Use: http://helpdesk.qualispace.com QualiSpace Community Discussion forum: http://forum.qualispace.com -Original Message- From: Anders Norrbring [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 17, 2006 7:32 PM To: users@spamassassin.apache.org Subject: This image is turning frequent.. This type of image spam is getting more common, and is not detected.. At least not here.. -- Anders Norrbring Norrbring Consulting
FORGED_HOTMAIL_RCVD bug??
G'day everyone, I received a legitimate email from Hotmail today, which (I believe) inappropriately triggered the FORGED_HOTMAIL_RCVD rule in my SpamAssassin (version 3.1.5). The email from Hotmail was actually a bounce-back to an email sent by one of my users to a Hotmail address - it was bouncing back as a no such user error from Hotmail, but I think that's not relevant. There were only two Received headers in the email from Hotmail, and they are as follows (unchanged except for the munging of mydomain.com). The top-most Received header was added by my server, and is therefore reliable, as is the Hotmail IP stated there - 65.54.246.140. Can anyone tell me why the FORGED_HOTMAIL_RCVD rule misfired, and what I might be able to do about it? -- Received: from bay0-omc2-s4.bay0.hotmail.com (bay0-omc2-s4.bay0.hotmail.com [65.54.246.140]) by mail.mydomain.com (mail.mydomain.com [87.230.126.33]) (MDaemon PRO v9.5.0gm1) with ESMTP id md5068214.msg for [EMAIL PROTECTED]; Mon, 16 Oct 2006 10:25:51 +0200 Received: from bay0-mc2-f7.bay0.hotmail.com ([65.54.244.47]) by bay0-omc2-s4.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 16 Oct 2006 00:52:09 -0700 -- Cheers, Jeremy
Re: This image is turning frequent..
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Anders Norrbring wrote: This type of image spam is getting more common, and is not detected.. At least not here.. Yes, this picture is indeed hard to detect... I'd need a blackbox like Input: Animated gif of any kind Output: NonAnimated gif which shows what the user will see But that is a difficult task considering how many things are possible with the GIF standard. This picture uses offsets and slow frame rates, others use transparency etc. A simple way to block these images would be to scan the GIF for offset frames. I don't think there is any valid GIF which makes use of these techniques... Best regards, Chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFNOuPJQIKXnJyDxURAsLVAKDIdS8QJ38I6snB/lq4mejK8y9r6gCfSoSg PGMfmUQ35Aez6I7kfJB91h8= =nHuo -END PGP SIGNATURE-
domainkeys unverified
I just got the domainkeys plugin set up, but it's not working the way I expect. In messages from Yahoo I see: 0.0 DK_SIGNED Domain Keys: message has an unverified signature but I never see DK_VERIFIED Is there something I need to configure? I didn't apply the patch, because I'm assuming it's been incorporated into 3.1.4. -- Chris
Re: This image is turning frequent..
-BEGIN PGP SIGNED MESSAGE- But that is a difficult task considering how many things are possible with the GIF standard. This picture uses offsets and slow frame rates, others use transparency etc. A simple way to block these images would be to scan the GIF for offset frames. I don't think there is any valid GIF which makes use of these techniques... Sure there is: http://phil.ipal.org/tc.html Check out the GIF at the top left of the page. And there is a library to generate them in that format. Granted, probably nobody uses it, but it does exist. :-) - Logan
Re: What's with UCEPROTECT List?
At 20:52 16-10-2006, Marc Perkel wrote: I don't know if other MTAs support sender verification but if they don't they should. It's a very good trick for blocking spam at connect time. It's also a good trick to cause a denial of service. Regards, -sm
Re: R: What's with UCEPROTECT List?
Giampaolo Tomassoni wrote: Well - if they get it wrong and won't fix it and they are causing my good emails to bounce for 2500 domains, what am I supposed to do? Well, Do they in fact "have it wrong"? If their listing criteria considers sender verification to be "mail abuse", well, you fit their listing criteria. I don't agree with it, and I doubt many here do, but that is apparently their policy. I'm not that confident with people that wakes up in a morning and decides that a technic is wrong irregardless of the "good uses" it may have. Also, some of the assertions in the UCEPROTECT's site may be regarded as being even false or misleading, like the one saing that theirs "is the only effective method to block spam". It is misleading: they may easily stop a lot of good senders in the way to block spam. And it is false: to my knowledge, the most effective method to block spam is shurely to shut the mail server down... That said, Marc, if some technically unskilled customer bought their services and you need to have your mail accepted by its servers, the fastest way I see is to adjust to UCEPROTECT's rules. Then, eventually, you may try to convince your peer that UCEPROTECT's services are based on insane policies. Why don't you dismiss sender verification and move toward greylisting? I think it could be effective as much as sender verification is. I'm not going to change based on being forced by one block list that refuses to remove me from their spammers list because they don't like my spam filtering methods. As to greylisting - the problem with that is that it causes legitimate email to be delayed. Having said that I do use some greylisting on what I consider to be suspicious. I have 3 MX records and the lowest one returns defer for questional emails. If they are legit then they retry on the second MX and it will be accepted.
Re: What's with UCEPROTECT List?
SM wrote: At 20:52 16-10-2006, Marc Perkel wrote: I don't know if other MTAs support sender verification but if they don't they should. It's a very good trick for blocking spam at connect time. It's also a good trick to cause a denial of service. Regards, -sm Not really. If somene had the bandwidth to cause a denial of service through sender verification they could do it more easlly by just attacking the target directly. No one is going to use sender verification as a DIS tool. It's to inefficient.
Re: What's with UCEPROTECT List?
I don't know if other MTAs support sender verification but if they don't they should. It's a very good trick for blocking spam at connect time. It's also a good trick to cause a denial of service. You think so? By my count, my server is transmitting roughly 80 bytes of data (HELO, MAIL FROM:, RCPT TO: and QUIT); even with overhead from RBL checks on your side that shouldn't contribute to any load. It's not like an evil spammer could carefully synchronize it so that millions of mail servers would all try to do callouts at exactly the same microsecond, after all. Have you actually seen a server DOSed by sender callouts, ever? I never have and I've ever heard of one -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com And the beer I had for breakfast Wasn't bad, so I had one more for dessert.
RE: What's with UCEPROTECT List?
It's also a good trick to cause a denial of service. Regards, -sm Maybe... under extremely special circumstances, yet more realistically not. Well programmed software can rate limit itself when things look hokey... - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
Re: What's with UCEPROTECT List?
The way I see it is this. I run a spam filtering company. I'm one of the good guys who are blocking spam. uceprotect.net claims to be a list to block spammers. I have written them several times and even though they know that I am not a spammer they refuse to take me off their spammers list. So if you have a company who is knowingly and deliberately listing people who they know are in the spam fighting business as spammers, what does it say about their operation? It seems to me that they are helping that spammers more than those of us who are blocking spam. hat it looks like to me is a way of blacklisting competition to try to stear business their way. The only way to get off their lists is to pay them money. It looks more like extortion to me.
RE: [Sare-users] ImageInfo.pm and config files
On Tue, 17 Oct 2006, Suhas (QualiSpace) wrote: From: Suhas (QualiSpace) [EMAIL PROTECTED] To: [EMAIL PROTECTED] Cc: users@spamassassin.apache.org Date: Tue, 17 Oct 2006 19:36:53 +0530 Subject: RE: [Sare-users] ImageInfo.pm and config files From where do I obtain imageinfo.cf? http://www.rulesemporium.com/plugins.htm -- Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK [EMAIL PROTECTED] Phone: +44 1225 386101
Re: domainkeys unverified
Chris, I just got the domainkeys plugin set up, but it's not working the way I expect. In messages from Yahoo I see: 0.0 DK_SIGNED Domain Keys: message has an unverified signature but I never see DK_VERIFIED Is there something I need to configure? I didn't apply the patch, because I'm assuming it's been incorporated into 3.1.4. The Perl module Mail::DomainKeys is not part of SA, it is installed separately. SA does not/can not/ apply patches to foreign modules. Make sure you have the version Mail::DomainKeys 0.86 (or later if any), previous versions have several bugs. Are you referring to a patch to Mail::DomainKeys pointed to from: http://www.ijs.si/software/amavisd/amavisd-new-docs.html#dkim ? That patch is not yet incorporated into 0.86 (it needs to be adjusted to play well with signing, but if you are only doing verification from SA it does not matter). The patch allows signature to match either a From or a Sender header field, which becomes important for mail passing through some mailing lists like postfix-user or SA 'users' list. Mark
Re: Q. about spam directed towards highest MX Record?
Jon Trulson wrote: Hehe, that is an old spammer trick... Our secondary MX is pretty much 100% spam. I implemented greylisting on the secondary which reduced spam through it by about 99% :) The secondary does not do spam scanning, it's simply store and forward. Greylisting really helps in these cases. My experience is like Jon's; nearly all mail arriving at the backup MX is spam. Rather than greylisting, I simply score messages higher if they come in through the backup MX. On my systems, where the primary MX is almost never down, I add 3.3 SA points for messages that arrive via the back door. This is routinely one of the most frequently hit rules, right up there with senders without reverse DNS, which gets an equivalent score. Many messages arriving at the back door trip both these rules and thus get marked as spam. This approach doesn't put a great deal of stress on my SA scanner because I block a lot of mail at the SMTP level based on a substantial custom rule list. Peter
Re: Problem with URIBL rules : false positive and not listed while mannually checking
Fabien GARZIANO wrote: And for dns, I'm sorry, I typed it too fast and when I meant no 'dns' i also meant no 'named' process. On mail servers it's usually a good idea to run a local nameserver, even if you have no zone files to publish (e.g., the caching nameserver named configuration that comes with RedHat-flavored distributions). Without a local nameserver you have to make a request against the ISPs servers for every message you receive. If you run a local, caching server, once you've looked up an address it's kept locally which improves performance on a busy mail server. If you run a caching server, make sure that /etc/resolv.conf has 127.0.0.1 as its initial nameserver address. Add the ISPs addresses below this in case your local named falls over. Peter
RE: What's with UCEPROTECT List?
hat it looks like to me is a way of blacklisting competition to try to stear business their way. The only way to get off their lists is to pay them money. It looks more like extortion to me. Marc After reading their EN website, http://www.uceprotect.net/en/ ...maybe you could be the one to correct their grammar as they put it and they would bless/pay you by pulling your entry... Yes, I am joking... sort of... :-) - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
R: What's with UCEPROTECT List?
...maybe you could be the one to correct their grammar as they put it and they would bless/pay you by pulling your entry... Ahahah. :) giampaolo Yes, I am joking... sort of... :-) - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
Re: What's with UCEPROTECT List?
Matt Kettler wrote: That said, some folks still hate it because you're using some (very little) of their CPU and network to handle your spam. Also, a large number of verifications (say, because someone has been sending lots of spam with forged headers) looks suspiciously like a dictionary attack. -- Kelson Vibber SpeedGate Communications www.speed.net
Script error
Hello everybody. Today i upgraded spamassassin to last version available (3.1.7). I tried to execute: /etc/init.d/spamassassin status|restart|stop and i get the following error message: spamassassin: spamassassin script is v3.001003, but using modules v3.001007 However, i run spamassassin --version and get the following message: SpamAssassin version 3.1.7 running on Perl version 5.8.0 I downloaded the .tar.gz file from spamassassin website and executed perl MakeFile.PL -- make -- make install. Can somebody tell me how can i fix this?? Thanks and regards, Reginaldo Bray MendozaSystems ProgrammerEurolatina SC Ltda - LBH Group Colombia As Agents Only Phone: +57 5 665 3580 Fax: +57 5 655 1492 Mobile: +57 315 897 5310 Email: [EMAIL PROTECTED] (personal) [EMAIL PROTECTED] (preferred) Group website: www.lbh-group.com We are working HARD towards becoming the most respected ship agency in Colombia, by applying the highest quality, service and security standards of the international maritime industry. Thank you for making contact with us - Eurolatina SC Ltda Team - LBH Colombia.
Re: This image is turning frequent..
decoder wrote: But that is a difficult task considering how many things are possible with the GIF standard. This picture uses offsets and slow frame rates, others use transparency etc. A simple way to block these images would be to scan the GIF for offset frames. I don't think there is any valid GIF which makes use of these techniques... If offset frames means what I think it does, they're actually a fairly common technique in animated GIFs where you only need to change part of the image. After all, if you're changing a 30x50 section of a 200x200 image, why waste space on an extra 38,500 pixels? -- Kelson Vibber SpeedGate Communications www.speed.net
RE: Scanning aliases for spam
Yes... and here is the answer: an alias can be a procmail script. So you send the email to this aliased procmail script, have it scanned, and depending on the outcome of the scan, proceed to forward to the real alias, or do something else with the spam. Thanks, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com -Original Message-From: Michael Fenimore [mailto:[EMAIL PROTECTED]Sent: Sunday, October 15, 2006 4:32 PMTo: users@spamassassin.apache.orgSubject: Scanning aliases for spam Hi. I hope this question isn't beyond the scope of this group or hasn't been answered already. I maintain a site that runs Majordomo v. 1.94.5. We have over 55 groups and close to 4800 members. Some of these groups have been in existence for a while and have found themselves in spammer databases. Spamd runs fine on a local user account, but does not scan any aliases from the /etc/aliases file. Is there a way to have this done? Or is it beyond SA capabilities? TIA Michael Fenimore SysAdmin/WebMaster GriefNet.org
Re: What's with UCEPROTECT List?
Kelson wrote: Matt Kettler wrote: That said, some folks still hate it because you're using some (very little) of their CPU and network to handle your spam. Also, a large number of verifications (say, because someone has been sending lots of spam with forged headers) looks suspiciously like a dictionary attack. Exactly. In effect what sender verification does is cause your server to perform the dictionary attack instead of the spammer. Say im a spammer. I send messages to [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], etc and see which ones are accepted to gather valid addresses. With sender verfication, spammer now sends messages to [EMAIL PROTECTED] with a return address of [EMAIL PROTECTED], [EMAIL PROTECTED], etc. Your server does the sender check to see if [EMAIL PROTECTED] exists. Your server is doing the work for the spammer now and looks exactly like a dictionary attack. This could (and does) very easily get you onto several blacklists. Sender verification? Not for me, thanks. -Jim
RE: Script error
Reginaldo Bray Mendoza wrote: Hello everybody. Today i upgraded spamassassin to last version available (3.1.7). I tried to execute: /etc/init.d/spamassassin status|restart|stop and i get the following error message: spamassassin: spamassassin script is v3.001003, but using modules v3.001007 However, i run spamassassin --version and get the following message: SpamAssassin version 3.1.7 running on Perl version 5.8.0 I downloaded the .tar.gz file from spamassassin website and executed perl MakeFile.PL -- make -- make install. Can somebody tell me how can i fix this?? Take a look at /etc/init.d/spamassassin and see where it is finding the program. Then do 'which spamassassin' to see which one you are running. You have two SpamAssassin installs. You will need to make sure you are running the correct one. The best solution is to remove both of them and reinstall to make sure you only have one installation. This is usually caused by upgrading via a different method than the original install (RPM vs CPAN vs source build). Pick a method and stick with it. -- Bowie
Re: false positive on citibank e-mail
You're the twit who reduced the required score. Fix it.
{^_^}
- Original Message -
From: Jo Rhett [EMAIL PROTECTED]
Included below is a legitimate e-mail on a legitimate payment that I did make.
I've looked at the rule, and I can't figure out why it failed.
Original Message
Return-Path: [EMAIL PROTECTED]
Received: from triceratops.lizardarts.com ([unix socket]) by
triceratops.lizardarts.com (Cyrus v2.3.7) with LMTPA; Mon, 16 Oct 2006
12:28:46 -0700
X-Sieve: CMU Sieve 2.3
X-Virus-Scanned: amavisd-new at netconsonance.com
X-Spam-Flag: YES
X-Spam-Score: 4.012
X-Spam-Level:
X-Spam-Status: Yes, score=4.012 tagged_above=-999 required=4
tests=[AWL=-4.520, DNS_FROM_RFC_ABUSE=0.479, FROM_EXCESS_BASE64=1.052,
HTML_MESSAGE=0.001, NO_RECEIVED=2, NO_RELAYS=1, SARE_FORGED_CITI=4,
SUBJECT_EXCESS_BASE64=0]
Received: from bigfootinteractive.com (arm184.bigfootinteractive.com
[206.132.3.184]) by triceratops.lizardarts.com (8.13.8/8.13.8) with SMTP
id k9GJSgjH051843 for [EMAIL PROTECTED]; Mon, 16 Oct 2006 12:28:43
-0700 (PDT) (envelope-from [EMAIL PROTECTED])
Reply-To: [EMAIL PROTECTED]
Bounces_to: [EMAIL PROTECTED]
Message-ID:
[EMAIL PROTECTED]
X-BFI: T9TH054F119A6D9697126D82D3CB60
Date: Mon, 16 Oct 2006 15:26:53 EDT
From: Citi Cards [EMAIL PROTECTED]
Subject: Your online activity confirmation
To: [EMAIL PROTECTED]
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=ABCD-T9TH054F119A6D9697126D82D3CB60-EFGH
http://info.citibank.com/ *Email Security Zone
http://info.citibank.com/: JO RHETT*
For your account ending in *SNIP*
Add [EMAIL PROTECTED] to your address book to ensure delivery.
Dear JO RHETT,
This email confirms the following action(s) completed at Account Online for your Citi
Cards account ending in *SNIP*.
See detail(s) below:
# *Click-to-Pay Payment Confirmation:*
An online payment in the amount of $1,487.11 is scheduled to post
to your Citi card account on October 13, 2006. The payment will be made
by electronic transfer from your designated bank account. Please
keep the following confirmation number for your records: 122144156497088.
/Note: If you performed multiple activities at Account Online within
the past 48 hours you may receive confirmations separately./
We appreciate the opportunity to serve you. Quality service and your
security is top of mind at Citi. If any of the above information is
inaccurate, please contact us immediately at 800-347-4934.
Visit us anytime at www.citicards.com
http://info.citibank.com/ to review
your recent account activity or update your account information.
Privacy http://info.citibank.com/ |
Security http://info.citibank.com/
_Email Preferences_
Your Citi Cards is issued by Citibank (South Dakota), N.A.. If you'd
like to refine the types of email messages you receive, or if you'd
prefer to stop receiving email from us, please go to:
http://www.email.citicards.com
http://info.citibank.com/
_Help / Contact Us_
If you have questions about your account, please use our secure message
center by signing on at www.citicards.com
http://info.citibank.com/ and choosing
Contact Us from the Help / Contact Us menu. You can also call the
customer service phone number on the back of your card.
© 2006 Citibank (South Dakota), N.A.
All rights reserved.
Citi, Citibank, Citi with Arc Design, and Live richly are registered
service marks of Citigroup Inc.
Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117
--
Jo Rhett
Network/Software Engineer
Net Consonance
Re: JD_ rule set?
From: benthere-nine [EMAIL PROTECTED]
jdow wrote:
The lowest scoring one of those puppies to hit here ran up a score
of 7.3:
-1.5 JD_SENDER_RELAYGood list with Sender header
0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some
mails
3.0 BAYES_95 BODY: Bayesian spam probability is 95 to 99%
[score: 0.9771]
0.0 JD_VHI_BAYES JD_VHI_BAYES
0.0 JD_HI_BAYESJD_HI_BAYES
3.8 JD_HI_BAYES_LKML LKML likely spam
2.0 JD_VHI_BAYES_LKML LKML very likely spam
Which rule set are the JD_ scores from?
Personal experimental META rules components.
HI is 80, 95, and 99. VHI is 95 and 99.
I also have a rule that detects LKML, the Linux Kernel Mailing List.
It has a -1.5 score. The HI and VHI rules combined with LKML add
several points to offset the lowering. (LO and VLO rules also exist
to subtract even more points to offset various rules that trigger
on patches, source listings, and oops dumps.)
{^_^}
Bayes doesn't seem to be running
I have SA configuered to run via amavis-new Regular rbl and other checks do work But bayes doesn't seem to be running. I am not even sure where to go look to find information about what checks are being run to try and track down the problem Any hints? Thomas Lindell System Admin Airbornedatalink.com
Re: This image is turning frequent..
Anders Norrbring wrote: This type of image spam is getting more common, and is not detected.. At least not here.. score SARE_GIF_STOX 2.5 2.5 2.5 2.5 That's all it took, and we don't see it any more. -- Jo Rhett Network/Software Engineer Net Consonance
Re: This image is turning frequent..
I think you guys are going down a much harder road. This only makes sense if and when e-mail with only a GIF is a normal type of e-mail that people find acceptable. Otherwise, just score e-mail with only a GIF and/or some extra bayes poison high and don't bother analyzing it. Kelson wrote: decoder wrote: But that is a difficult task considering how many things are possible with the GIF standard. This picture uses offsets and slow frame rates, others use transparency etc. A simple way to block these images would be to scan the GIF for offset frames. I don't think there is any valid GIF which makes use of these techniques... If offset frames means what I think it does, they're actually a fairly common technique in animated GIFs where you only need to change part of the image. After all, if you're changing a 30x50 section of a 200x200 image, why waste space on an extra 38,500 pixels? -- Jo Rhett Network/Software Engineer Net Consonance
RE: This image is turning frequent..
Title: RE: This image is turning frequent.. Exactly... and that SARE ruleset is coming very soon :) --Chris -Original Message- From: Jo Rhett [mailto:[EMAIL PROTECTED]] Sent: Tuesday, October 17, 2006 1:28 PM To: Kelson Cc: users@spamassassin.apache.org Subject: Re: This image is turning frequent.. I think you guys are going down a much harder road. This only makes sense if and when e-mail with only a GIF is a normal type of e-mail that people find acceptable. Otherwise, just score e-mail with only a GIF and/or some extra bayes poison high and don't bother analyzing it. Kelson wrote: decoder wrote: But that is a difficult task considering how many things are possible with the GIF standard. This picture uses offsets and slow frame rates, others use transparency etc. A simple way to block these images would be to scan the GIF for offset frames. I don't think there is any valid GIF which makes use of these techniques... If offset frames means what I think it does, they're actually a fairly common technique in animated GIFs where you only need to change part of the image. After all, if you're changing a 30x50 section of a 200x200 image, why waste space on an extra 38,500 pixels? -- Jo Rhett Network/Software Engineer Net Consonance
Re: What's with UCEPROTECT List?
Marc Perkel wrote: Not really. If somene had the bandwidth to cause a denial of service through sender verification they could do it more easlly by just attacking the target directly. No one is going to use sender verification as a DIS tool. It's to inefficient. What? You mean the same inefficiency that spam has? God, you're right - nobody is doing that any more! Um, you know at first I was agreeing with your comments about UCEPROTECT but now that you've shown yourself to be fairly clueless, I'm having to revise my opinion of them. Their grammar aside, the page that describes the potential is technically accurate. Please go read it, and think about it. Send a bunch of spam with a single forged sender address to a lot of sites that do sender verification. Watch their mail server fall down. I can assure you that even with modern hardware, no e-mail MTA available today can handle 20mb/sec of e-mail connections. The best I have personally observed is commercial Sendmail handling 12mb/sec. (of connections with no data transfer is a LOT of connections) -- Jo Rhett Network/Software Engineer Net Consonance
Re: What's with UCEPROTECT List?
Dave Pooser wrote: Have you actually seen a server DOSed by sender callouts, ever? I never have and I've ever heard of one Um, yes. Well, I've seen it DoSed by just attempts to deliver to an address that doesn't exist. User not found after RCPT TO is the exact same traffic load. That was very modern hardware, and it happened just a few weeks ago. Think about it. It doesn't require you to stretch your brain to figure out the math involved. -- Jo Rhett Network/Software Engineer Net Consonance
RE: Having issue with a type of spam I havn't seen before
Title: RE: Having issue with a type of spam I havn't seen before I'm just waiting for some votes before I release the SARE ruleset for these guys. I finally believe I got it nailed down. Thanks, Chris Santerre SysAdmin and Spamfighter www.rulesemporium.com www.uribl.com -Original Message- From: Derek Harding [mailto:[EMAIL PROTECTED]] Sent: Friday, October 13, 2006 5:26 PM To: users@spamassassin.apache.org Subject: RE: Having issue with a type of spam I havn't seen before On Fri, 2006-10-13 at 15:22 -0600, Chris Stone wrote: On Fri, 2006-10-13 at 10:38 -0400, Dylan Bouterse wrote: I’m trying to write a rule to score src="" but I can’t seem to get it right. Can somebody shed some light on what I’d use for the 20_phrases.cf file so I can start scoring this? Thanks. Here's what I am using with success: rawbody SENET_INLINEIMG /src\s*=\s*[']cid:/i Sometime ago I wrote this rule: rawbody INLINE_IMAGE /src\s*=\s*[']cid:/i describe INLINE_IMAGE Inline Images score INLINE_IMAGE 1.5 Works fine though it will catch users who use an attached image for their sig or use email templates with background images. I think these days most people are going the ocr route. Derek
Re: What's with UCEPROTECT List?
Jim Maul wrote: Kelson wrote: Matt Kettler wrote: That said, some folks still hate it because you're using some (very little) of their CPU and network to handle your spam. Also, a large number of verifications (say, because someone has been sending lots of spam with forged headers) looks suspiciously like a dictionary attack. Exactly. In effect what sender verification does is cause your server to perform the dictionary attack instead of the spammer. Say im a spammer. I send messages to [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], etc and see which ones are accepted to gather valid addresses. With sender verfication, spammer now sends messages to [EMAIL PROTECTED] with a return address of [EMAIL PROTECTED], [EMAIL PROTECTED], etc. Your server does the sender check to see if [EMAIL PROTECTED] exists. Your server is doing the work for the spammer now and looks exactly like a dictionary attack. This could (and does) very easily get you onto several blacklists. Sender verification? Not for me, thanks. Generally a dictionary attach uses randon to addresses, not from addresses. Sender verification works on the from address. And if I didn't use sender verification it scould result in a bounce message to the address that I would have verified and the bounce message is a far words problem than sender verification.
Re: What's with UCEPROTECT List?
Marc Perkel wrote: So if you have a company who is knowingly and deliberately listing people who they know are in the spam fighting business as spammers, what No. Just like RFC_POST and RFC_ABUSE they are listing people who violate a policy. And by using those BLs, I am choosing not to accept e-mail from sites which violate those policies. -- Jo Rhett Network/Software Engineer Net Consonance
Re: What's with UCEPROTECT List?
R Lists06 wrote: Maybe... under extremely special circumstances, yet more realistically not. Well programmed software can rate limit itself when things look hokey... Right. And rate limiting limits the real service. Thus, you have ... oh yeah, DENIAL OF SERVICE. THINK! It's not hard. -- Jo Rhett Network/Software Engineer Net Consonance
Re: What's with UCEPROTECT List?
Jo Rhett wrote: Marc Perkel wrote: Not really. If somene had the bandwidth to cause a denial of service through sender verification they could do it more easlly by just attacking the target directly. No one is going to use sender verification as a DIS tool. It's to inefficient. What? You mean the same inefficiency that spam has? God, you're right - nobody is doing that any more! Um, you know at first I was agreeing with your comments about UCEPROTECT but now that you've shown yourself to be fairly clueless, I'm having to revise my opinion of them. Their grammar aside, the page that describes the potential is technically accurate. Please go read it, and think about it. Send a bunch of spam with a single forged sender address to a lot of sites that do sender verification. Watch their mail server fall down. I can assure you that even with modern hardware, no e-mail MTA available today can handle 20mb/sec of e-mail connections. The best I have personally observed is commercial Sendmail handling 12mb/sec. (of connections with no data transfer is a LOT of connections) I'm using Exim which caches sender verification results so if the attacker uses a single forged address it would only result in a callout ever 2 hours or so.
Re: JD_ rule set?
On Tue, October 17, 2006 18:55, jdow wrote: to subtract even more points to offset various rules that trigger on patches, source listings, and oops dumps.) this mail list have enorm spams on it, seams that no one cares to kill it at maillist server level, hmm, does spammers sponcer this maillist ? :-) -- This message was sent using 100% recycled spam mails.
Re: What's with UCEPROTECT List?
Marc Perkel wrote: I'm using Exim which caches sender verification results so if the attacker uses a single forged address it would only result in a callout ever 2 hours or so. You really didn't read that page, did you? Yes, it works well for you. But if everyone is doing it, it will fail. This isn't the ARPAnet, and we no longer know the other 52 sites personally. -- Jo Rhett Network/Software Engineer Net Consonance
Re: What's with UCEPROTECT List?
Marc Perkel wrote: Generally a dictionary attach uses randon to addresses, not from addresses. Sender verification works on the from address. And if I didn't use sender verification it scould result in a bounce message to the address that I would have verified and the bounce message is a far words problem than sender verification. You aren't paying attention to modern spam are you? They send out a bunch of e-mail and use the results (ie not bounces) to collect usable address. Then they send out their main spam load with the previously verified addresses as the FROM sources. Download any modern spam sending product. Take a look at it. Think about it. -- Jo Rhett Network/Software Engineer Net Consonance
Re: This image is turning frequent..
Just FYI increasing SARE_GIX_STOX has removed this spam from my mailbox. It's doing something right. (I was getting 1-2 an hour prior to increasing that rule's score) Chris Santerre wrote: Exactly... and that SARE ruleset is coming very soon :) --Chris -Original Message- From: Jo Rhett [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 17, 2006 1:28 PM To: Kelson Cc: users@spamassassin.apache.org Subject: Re: This image is turning frequent.. I think you guys are going down a much harder road. This only makes sense if and when e-mail with only a GIF is a normal type of e-mail that people find acceptable. Otherwise, just score e-mail with only a GIF and/or some extra bayes poison high and don't bother analyzing it. Kelson wrote: decoder wrote: But that is a difficult task considering how many things are possible with the GIF standard. This picture uses offsets and slow frame rates, others use transparency etc. A simple way to block these images would be to scan the GIF for offset frames. I don't think there is any valid GIF which makes use of these techniques... If offset frames means what I think it does, they're actually a fairly common technique in animated GIFs where you only need to change part of the image. After all, if you're changing a 30x50 section of a 200x200 image, why waste space on an extra 38,500 pixels? -- Jo Rhett Network/Software Engineer Net Consonance -- Jo Rhett Network/Software Engineer Net Consonance
Re: ALL_TRUSTED creating a problem
Matt Kettler wrote: Matt Kettler wrote: YOUR network is broken because YOUR network doesn't add Received: headers before calling SA.. That's not EVERYONE, that's YOU. Get your tools to add a local Received: header before you call SA, the auto-detection code will start working. After all, if you haven't Received: the message yet, how'd it get to SA? Do your really expect SA to work on a message that doesn't even appear to have been delivered to your domain yet? Jo Rhett wrote: As mentioned in my previous message, I have dozens of messages here that have as many as 12 received headers. Yes, but none are LOCAL. RIGHT. So why are they Trusted? So perhaps I didn't get the Received header that will be added by this host. Yeah, so how did it get to SA? That's the problem. How can SA be scanning it, if it hasn't reached this host yet? Does this matter? SA *IS* scanning it, and for unknown reasons assigning the random remote host as trusted. That is *BROKEN*. What kind of logic says that it should trust a remote IP from a very random source that isn't authenticated by a local header? Because it's equally absurd to assume that the most recent header isn't local. I'm sorry, but phrases like what are you babbling about keep floating to the top of my mind when I read your response. (sorry, need more coffee) Your logic appears to be backwards -- if the results are confusing, assume trusted? Slow down and explain to me exactly why the most recent header having a remote address in it should be trusted? Seriously, I can't figure out what you think should be happening. None of these sites are local. None of them are even in the same /8 network. Why does autodetection decide that they are trusted? -- Jo Rhett Network/Software Engineer Net Consonance
RE: JD_ rule set?
Benny Pedersen wrote: this mail list have enorm spams on it, seams that no one cares to kill it at maillist server level, hmm, does spammers sponcer this maillist ? :-) Huh? I don't filter this list and I haven't seen any spam. -- Bowie
Re: ALL_TRUSTED creating a problem
Bowie Bailey wrote: Unless you specify it in the configuration, SA has no idea what servers are local for you. In this case, it has to make a guess so it makes the (fairly reasonable) assumption that the most recent received header comes from a local MX. Oh. I get it. We're trusting headers to be more accurate than getifaddrs() ? Am I supposed to agree that this makes sense? Seriously... -- Jo Rhett Network/Software Engineer Net Consonance
SA Webmail Portal
Anyone developed a webmailportal for Spamassassin? What I mean by this is.. Some sort of webmail which only has a spam folder so people can see their spam.. anything else passes on through.. I'm running SA in two manners.. One of which is going directly to my pop server and tags all the spam.. and my pop server files stuff away accordingly.. but, I'm also providing spam tagging services for other customers.. whom are now requesting that they not get the spam, but have a webmailportal page similar to Postini's (also a nice place to adjust their scores) Thanks, Billy
dealing with DoS attacks (Re: ALL_TRUSTED creating a problem)
R Lists06 wrote: As you more than likely already know ...I would encourage you to do consider several things here as realistically several federal and local laws are being broken here and others have ... ... We have dealt with issues like this many times and we take note it at layer 3, document it, then get on the horn with super techs (if enough time) and have them document it too. Yes, I know. I'm actually one of the supertechs you refer to. Er, at least top of the food chain in that regard :-) Law enforcement in Santa Clara is excellent, but they have to focus on the big fish. This is small stuff to them. It's also just small enough to fall under the radar of most providers, which argues to me that this guy is fairly clueful. (guy because so far I've never met a woman who dealt with their emotional drama in such stupid ways) A long time ago when a full T1 was bigtime, sometimes people would ping flood smaller ISP circuits making them unusable at layer 2 and the frame switches would simply do what they were programmed to do and drop the packets because a 256k port would be running at well over 100% capacity and almost every packet was discard eligible etc etc You pretty much nailed it. The target is a DSL customer, so sending 100mb/sec is isn't enough to raise the eyebrows of any modern service provider, but the DSL switch receiving that flood gets fairly unhappy and the target is completely offline. -- Jo Rhett Network/Software Engineer Net Consonance
Re: SA Webmail Portal
Billy Huddleston wrote: Anyone developed a webmail portal for Spamassassin? What I mean by this is.. Some sort of webmail which only has a spam folder so people can see their spam.. anything else passes on through.. I'm running SA in two manners.. One of which is going directly to my pop server and tags all the spam.. and my pop server files stuff away accordingly.. but, I'm also providing spam tagging services for other customers.. whom are now requesting that they not get the spam, but have a webmail portal page similar to Postini's (also a nice place to adjust their scores) Sure. Use the ability to tag to a plussed address, then virtusertable the plussed address to a local cyrus server with Squirrelmail, and route the normal mail onward. This should only take about an hour to set up. -- Jo Rhett Network/Software Engineer Net Consonance
Re: improving the sa-update process
Frank Bures wrote: Or you can check that spamassassin is running after restart and if not, start it again. Also you can check that there actually was an update before doing the restart in the first place. Works for me :-) I do the latter already. And as I've stated several times before, spamassassin *DOES* run. Always. It's just whether or not it's doing anything useful. When it can't talk to the sockets, it's dead in the water. This requires an external test to determine. -- Jo Rhett Network/Software Engineer Net Consonance
Re: false positive on citibank e-mail
Ramprasad wrote: Thats the bane of antispam. If there were no FP's spammers would lose their jobs. ( So will we techies managing antispam :-) ) I've heard that nonsense (losing jobs to problems disappearing) so many times over the years, and it has *never* happened. There's always more technical things to do. Just think how much progress in software development would occur if none of us had to work on anti-spam solutions? I mean seriously, spam is 20% of my job on a Good Day. Whitelisting citibank is just too dangerous anyone can forge use def_whitelist_from_spf [EMAIL PROTECTED] What? Who is talking about whitelist? -- Jo Rhett Network/Software Engineer Net Consonance
Re: false positive on citibank e-mail
Nice insult. Can we stick to fixing real problems, please?
jdow wrote:
You're the twit who reduced the required score. Fix it.
{^_^}
- Original Message - From: Jo Rhett [EMAIL PROTECTED]
Included below is a legitimate e-mail on a legitimate payment that I
did make.
I've looked at the rule, and I can't figure out why it failed.
Original Message
Return-Path: [EMAIL PROTECTED]
Received: from triceratops.lizardarts.com ([unix socket]) by
triceratops.lizardarts.com (Cyrus v2.3.7) with LMTPA; Mon, 16 Oct 2006
12:28:46 -0700
X-Sieve: CMU Sieve 2.3
X-Virus-Scanned: amavisd-new at netconsonance.com
X-Spam-Flag: YES
X-Spam-Score: 4.012
X-Spam-Level:
X-Spam-Status: Yes, score=4.012 tagged_above=-999 required=4
tests=[AWL=-4.520, DNS_FROM_RFC_ABUSE=0.479, FROM_EXCESS_BASE64=1.052,
HTML_MESSAGE=0.001, NO_RECEIVED=2, NO_RELAYS=1, SARE_FORGED_CITI=4,
SUBJECT_EXCESS_BASE64=0]
Received: from bigfootinteractive.com (arm184.bigfootinteractive.com
[206.132.3.184]) by triceratops.lizardarts.com (8.13.8/8.13.8) with SMTP
id k9GJSgjH051843 for [EMAIL PROTECTED]; Mon, 16 Oct 2006 12:28:43
-0700 (PDT) (envelope-from [EMAIL PROTECTED])
Reply-To: [EMAIL PROTECTED]
Bounces_to: [EMAIL PROTECTED]
Message-ID:
[EMAIL PROTECTED]
X-BFI: T9TH054F119A6D9697126D82D3CB60
Date: Mon, 16 Oct 2006 15:26:53 EDT
From: Citi Cards [EMAIL PROTECTED]
Subject: Your online activity confirmation
To: [EMAIL PROTECTED]
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=ABCD-T9TH054F119A6D9697126D82D3CB60-EFGH
http://info.citibank.com/ *Email Security Zone
http://info.citibank.com/: JO RHETT*
For your account ending in *SNIP*
Add [EMAIL PROTECTED] to your address book to ensure delivery.
Dear JO RHETT,
This email confirms the following action(s) completed at Account
Online for your Citi Cards account ending in *SNIP*.
See detail(s) below:
# *Click-to-Pay Payment Confirmation:*
An online payment in the amount of $1,487.11 is scheduled to post
to your Citi card account on October 13, 2006. The payment will be made
by electronic transfer from your designated bank account. Please
keep the following confirmation number for your records: 122144156497088.
/Note: If you performed multiple activities at Account Online within
the past 48 hours you may receive confirmations separately./
We appreciate the opportunity to serve you. Quality service and your
security is top of mind at Citi. If any of the above information is
inaccurate, please contact us immediately at 800-347-4934.
Visit us anytime at www.citicards.com
http://info.citibank.com/ to review
your recent account activity or update your account information.
Privacy http://info.citibank.com/ |
Security http://info.citibank.com/
_Email Preferences_
Your Citi Cards is issued by Citibank (South Dakota), N.A.. If you'd
like to refine the types of email messages you receive, or if you'd
prefer to stop receiving email from us, please go to:
http://www.email.citicards.com
http://info.citibank.com/
_Help / Contact Us_
If you have questions about your account, please use our secure message
center by signing on at www.citicards.com
http://info.citibank.com/ and choosing
Contact Us from the Help / Contact Us menu. You can also call the
customer service phone number on the back of your card.
© 2006 Citibank (South Dakota), N.A.
All rights reserved.
Citi, Citibank, Citi with Arc Design, and Live richly are registered
service marks of Citigroup Inc.
Citibank Customer Service
P. O. Box 6500
Sioux Falls, SD 57117
--
Jo Rhett
Network/Software Engineer
Net Consonance
--
Jo Rhett
Network/Software Engineer
Net Consonance
Re: SA Webmail Portal
On Tue, 17 Oct 2006, Jo Rhett wrote: Billy Huddleston wrote: Anyone developed a webmail portal for Spamassassin? Sure. Use the ability to tag to a plussed address, then virtusertable the plussed address to a local cyrus server with Squirrelmail, and route the normal mail onward. This should only take about an hour to set up. We do something similar -- we set some headers with SA, and then use Sieve filters to put them into folders, delete entirely, etc. When we create a new account users get some default filters, which they can then manage using the Ingo component of Horde. This works for us, since we offer a full webmail/groupware suite as well, but Jo's suggestion is more lightweight and would probably be better if you're just looking for a spam quarantine interface. Remember, SA doesn't filter, file, deliver, or anything else. You can use it to munge the message, but anything else is up to other software -- in this case, probably your IMAP server. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University
Re: ALL_TRUSTED creating a problem
Jo Rhett wrote: Matt Kettler wrote: Matt Kettler wrote: So perhaps I didn't get the Received header that will be added by this host. Yeah, so how did it get to SA? That's the problem. How can SA be scanning it, if it hasn't reached this host yet? Does this matter? SA *IS* scanning it, and for unknown reasons assigning the random remote host as trusted. That is *BROKEN*. As I've said before, YES, it does matter. SA knows *nothing* about the connection that isn't in the headers. In your example in this thread you had two headers, one that was added after SA saw it, and one that came in as DATA. As stated in the documentation, SA *requires* you to at least forge a received header for the local relay before passing the mail to SA. This is the only way that SA can gather data about the connection, the envelope, etc. If you were to be doing what is *required*, SA would see this forged received header, assume that it is the local trusted server (like the docs says it will do). It'll then compare the IP addr info from the first forged received header to the one supplied by the remote host and see that it is not trusted and won't trust it -- just like you're bitching that it's not doing because you're not providing the correct input to SA. What kind of logic says that it should trust a remote IP from a very random source that isn't authenticated by a local header? Because it's equally absurd to assume that the most recent header isn't local. I'm sorry, but phrases like what are you babbling about keep floating to the top of my mind when I read your response. (sorry, need more coffee) Your logic appears to be backwards -- if the results are confusing, assume trusted? The application's documentation requires you to ensure that the first received header it sees is local. It'd be awfully stupid if we required the first header was local and then assumed it was remote just for the hell of it. The only flawed logic I see here is you expecting incorrect input to lead to correct output (not that the output is wrong given the input, of course). Slow down and explain to me exactly why the most recent header having a remote address in it should be trusted? I've already told you this before, and again above. You are required to ensure that the most recent received header is local. Maybe we're at fault assuming that the user is going to call the application according to the documentation. Seriously, I can't figure out what you think should be happening. None of these sites are local. None of them are even in the same /8 network. Why does autodetection decide that they are trusted? I've only seen examples from you that include only one received header that was actually presented to SA (which thus must be assumed to be local), so I have no idea what you're saying isn't working here. Anyway... that's it from me, at least until you start calling SA correctly. Until you fix your milter and can demonstrate otherwise I maintain that the auto-detection works as documented. Daryl
Re: ALL_TRUSTED creating a problem
Jo Rhett wrote: Bowie Bailey wrote: Unless you specify it in the configuration, SA has no idea what servers are local for you. In this case, it has to make a guess so it makes the (fairly reasonable) assumption that the most recent received header comes from a local MX. Oh. I get it. We're trusting headers to be more accurate than getifaddrs() ? Am I supposed to agree that this makes sense? Seriously... Yeah, seriously. Especially when your cluster of 50+ SA machines don't share the same interface as the other cluster of front-end MXes. Although I'd love to see that in action. Remember, not everyone uses the same apparently broken-ass milter that you're using. Daryl
Re: SA Webmail Portal
Chris St. Pierre wrote: Remember, SA doesn't filter, file, deliver, or anything else. You can use it to munge the message, but anything else is up to other software -- in this case, probably your IMAP server. Not entirely true. These options change the delivery address. If you use these and also virtusertable, you could deliver tagged mail to a different location. ## ADDING ADDRESS EXTENSIONS TO RECIPIENTS - 'plus addressing' # $recipient_delimiter = undef; # $replace_existing_extension = 1; # $addr_extension_virus = undef; # $addr_extension_banned = undef; # $addr_extension_spam = undef; # $addr_extension_bad_header = undef; # @addr_extension_virus_maps = (\$addr_extension_virus); # @addr_extension_banned_maps = (\$addr_extension_banned); # @addr_extension_spam_maps = (\$addr_extension_spam); # @addr_extension_bad_header_maps = (\$addr_extension_bad_header); -- Jo Rhett Network/Software Engineer Net Consonance
Howto automatically remove spam instead of maked it as [SPAM]
Hello, I would like to know howto automatically remove detected Spam? I don't want spamassassin to deliver the spam with a [SPAM] tag at the begining of the message but preffer to send it (the spam) directly to something like /dev/null -- Gerhard Mourani -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: ALL_TRUSTED creating a problem
Daryl C. W. O'Shea wrote: SA knows *nothing* about the connection that isn't in the headers. In your example in this thread you had two headers, one that was added after SA saw it, and one that came in as DATA. You believe the headers entirely? Okay, so auto detection is even more broken than I thought. As stated in the documentation, SA *requires* you to at least forge a received header for the local relay before passing the mail to SA. This is the only way that SA can gather data about the connection, the envelope, etc. Really? Show me the docs. I may have overlooked them. If you were to be doing what is *required*, SA would see this forged received header, assume that it is the local trusted server (like the docs says it will do). It'll then compare the IP addr info from the first forged received header to the one supplied by the remote host and see that it is not trusted and won't trust it -- just like you're bitching that it's not doing because you're not providing the correct input to SA. SA should do the intelligent thing, and determine the local network from system calls. It's not like it's written in C -- perl deals with the inconsistencies of system implementations for you. Without checking the local interface, how do you know what the network is? Are you assuming that my 64.x address is a class-A network? Seriously, auto detection can't possibly work if you're not checking the local interface addresses. -- Jo Rhett Network/Software Engineer Net Consonance
Re: Howto automatically remove spam instead of maked it as [SPAM]
On Tue, Oct 17, 2006 at 02:33:04PM -0400, Gerhard Mourani wrote: I would like to know howto automatically remove detected Spam? I don't want spamassassin to deliver the spam with a [SPAM] tag at the begining of the message but preffer to send it (the spam) directly to something like /dev/null This is in the FAQ, but since SpamAssassin doesn't deliver mail, it only marks it up, it can't redirect mail for you either. Look at your MTA, milter, procmail, etc. -- Randomly Selected Tagline: Can I count to three? I'm already shooting at a fifth-grade level. - Stewie on Family Guy pgpttYyNxSIvF.pgp Description: PGP signature
Re: Howto automatically remove spam instead of maked it as [SPAM]
SA scans and marks inbound email messages, but does not directly dispose of them. Typically your mail delivery agent (such as procmail) delivers the mail to a given destination, based on the headers as modified by SA. Here's a simple case(procmail rule): :0 * ^X-Spam-Status: Yes /dev/null _ http://www.bartleby.com/66/38/43638.html On Tue, 17 Oct 2006, Gerhard Mourani wrote: Hello, I would like to know howto automatically remove detected Spam? I don't want spamassassin to deliver the spam with a [SPAM] tag at the begining of the message but preffer to send it (the spam) directly to something like /dev/null -- Gerhard Mourani
Re: ALL_TRUSTED creating a problem
Jo Rhett wrote: Oh. I get it. We're trusting headers to be more accurate than getifaddrs() ? Am I supposed to agree that this makes sense? Seriously... Daryl C. W. O'Shea wrote: Yeah, seriously. Especially when your cluster of 50+ SA machines don't share the same interface as the other cluster of front-end MXes. Although I'd love to see that in action. I don't see how that matters. Clue me in. If you know that you trust a remote network, then you would explicitly configure it. Auto detection can't guess things like that. But auto detection should be able to determine if something is on your local network or not. Either that, or the documentation is completely wrong about what it tries to do. Remember, not everyone uses the same apparently broken-ass milter that you're using. Nice insult for something that nobody has documented. It basically means that anything written not by you and yours is broken-ass by default because the vast majority of SA remains insufficiently documented to actually build interfaces to. -- Jo Rhett Network/Software Engineer Net Consonance
Re: This image is turning frequent..
Chris Santerre wrote:
I'm embarrassed to ask but, what cf file is that from?
[EMAIL PROTECTED] /usr/local/etc]$ find /var/lib/spamassassin -type f
-exec grep -l SARE_GIF_STOX {} \;
/var/lib/spamassassin/3.001004/70_sare_stocks_cf_sare_sa-update_dostech_net/200609222100.cf
--
Jo Rhett
Network/Software Engineer
Net Consonance
Re: Howto automatically remove spam instead of maked it as [SPAM]
On Tuesday 17 October 2006 10:33, Gerhard Mourani wrote:
Hello,
I would like to know howto automatically remove detected Spam? I don't
want spamassassin to deliver the spam with a [SPAM] tag at the begining of
the message but preffer to send it (the spam) directly to something like
/dev/null
--
Gerhard Mourani
Are you talking about the subject line?
Not a good idea.
For instance, due to some glitch the entire mailing list of
Suse had that inserted into the subject line.
Best to use the spamassassin inserted headers and the
number of stars or numerical spam value to filter on.
Filtering on the spamassassin headers can be done by procmail or by your
email clients.
If you use procmail (not every body does these days), you could put
This little bit in your /etc/procmailrc to send anything scoring 10 or
higher to /dev/null
:0
* ^X-Spam-Status:.*score=[1-9][0-9]
{
:0
/dev/null
}
--
_
John Andersen
Re: This image is turning frequent..
Chris Santerre wrote: I'm embarrassed to ask but, what cf file is that from? [EMAIL PROTECTED] rulesets]$ grep SARE_GIF_STOX * -R | grep meta 70_sare_stocks.cf/20060803.cf:meta SARE_GIF_STOX ( SARE_GIF_ATTACH __IMG_ONLY ) 70_sare_stocks.cf/200608271034.cf:meta SARE_GIF_STOX ( SARE_GIF_ATTACH __IMG_ONLY ) 70_sare_stocks.cf/200609062000.cf:meta SARE_GIF_STOX ( SARE_GIF_ATTACH __IMG_ONLY ) 70_sare_stocks.cf/200609100500.cf:meta SARE_GIF_STOX ( SARE_GIF_ATTACH __IMG_ONLY ) 70_sare_stocks.cf/200609100600.cf:meta SARE_GIF_STOX ( SARE_GIF_ATTACH __IMG_ONLY ) 70_sare_stocks.cf/200609220500.cf:meta SARE_GIF_STOX ( SARE_GIF_ATTACH __IMG_ONLY ) 70_sare_stocks.cf/200609222100.cf:meta SARE_GIF_STOX ( SARE_GIF_ATTACH __IMG_ONLY ) [EMAIL PROTECTED] rulesets]$
Re: SA Webmail Portal
Okay, so next question.. might be totally out of topic for SA.. How can I make the front-end mail server know if a email exists on the backend server.. Example.. I use qmail on my front-end.. I don't like receiving tons of invalid emails just to turn around and attempt to deliver bounces that could possibly be going to honeypots or servers that don't take mail etc.. I solved this on my own domain by using a smtp vrfy script that checks against my backend mail server.. but since the other domains don't have mailboxes on my back-end server and is only setup to relay their mail, it blindly accepts EVERYTHING for them.. any suggestions? Thanks, Billy - Original Message - From: Jo Rhett [EMAIL PROTECTED] To: Chris St. Pierre [EMAIL PROTECTED] Cc: Billy Huddleston [EMAIL PROTECTED]; users@spamassassin.apache.org Sent: Tuesday, October 17, 2006 2:31 PM Subject: Re: SA Webmail Portal Chris St. Pierre wrote: Remember, SA doesn't filter, file, deliver, or anything else. You can use it to munge the message, but anything else is up to other software -- in this case, probably your IMAP server. Not entirely true. These options change the delivery address. If you use these and also virtusertable, you could deliver tagged mail to a different location. ## ADDING ADDRESS EXTENSIONS TO RECIPIENTS - 'plus addressing' # $recipient_delimiter = undef; # $replace_existing_extension = 1; # $addr_extension_virus = undef; # $addr_extension_banned = undef; # $addr_extension_spam = undef; # $addr_extension_bad_header = undef; # @addr_extension_virus_maps = (\$addr_extension_virus); # @addr_extension_banned_maps = (\$addr_extension_banned); # @addr_extension_spam_maps = (\$addr_extension_spam); # @addr_extension_bad_header_maps = (\$addr_extension_bad_header); -- Jo Rhett Network/Software Engineer Net Consonance
RE: This image is turning frequent..
Title: RE: This image is turning frequent..
-Original Message-
From: Jo Rhett [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, October 17, 2006 2:41 PM
To: Chris Santerre
Cc: users@spamassassin.apache.org
Subject: Re: This image is turning frequent..
Chris Santerre wrote:
I'm embarrassed to ask but, what cf file is that from?
[EMAIL PROTECTED] /usr/local/etc]$ find
/var/lib/spamassassin -type f
-exec grep -l SARE_GIF_STOX {} \;
/var/lib/spamassassin/3.001004/70_sare_stocks_cf_sare_sa-updat
e_dostech_net/200609222100.cf
Ahahahah I must be burnt. I'm looking all thru those files and couldn't find it.
...because I was searching for gix_stox! I'm going to go pour some coffee!
Thanks
--Chris
Re: domainkeys unverified
Chris, No, I'm referring to the plugin patch, which according to bugzilla was going to be applied to 3.1.1 (so I assume I don't need to worry about this, since I'm using 3.1.4): http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4623 That patch is in the current code as far as I can tell (looking at 3.1.7), but must have been applied for some time now. The ticket is closed. I have Mail::DomainKeys 0.80, which I think should work. It is a waste of time working with versions of Mail::DomainKeys so old, there will be numerous false-positive signature failures. Here is a brief list of issues fixed in the last couple of versions, leading up to 0.86: - folding of 'h' subfield of the DomainKey-Signature header field not understood, leading to incorrect list of headers to be applied to verification; - subtag 'd' does not match subdomains; - inappropriately unfolding of header fields when using a simple canonicalization algorithm; - incompatibility of line endings with SA plugin, completely breaking simple canonicalization algorithm; - inappropriately requires one whitespace character to be present after a colon in a header field; - revoke the use of Email::Address (introduced in 0.82 or thereabout) in favour of previous Mail::Address in order to avoid endless loops on evaluating regexp on bad mail; And without my patch, signed messages coming through SA users (or similar) lists will not verify, because MLM adds a Sender field. Mark
RE: What's with UCEPROTECT List?
Right. And rate limiting limits the real service. Thus, you have ... oh yeah, DENIAL OF SERVICE. THINK! It's not hard. -- Jo Rhett Network/Software Engineer Net Consonance Don't assume Jo. You do not know specifically what I was talking about rate limiting and why or how. We model thinking outside of the box and therefore do not limit ourselves to that which is known or perceived to be known... Break out of the box, Jo. :-) - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
RE: What's with UCEPROTECT List?
Um, yes. Well, I've seen it DoSed by just attempts to deliver to an address that doesn't exist. User not found after RCPT TO is the exact same traffic load. That was very modern hardware, and it happened just a few weeks ago. Think about it. It doesn't require you to stretch your brain to figure out the math involved. -- Jo Rhett Network/Software Engineer Net Consonance Maybe you can elaborate on very modern hardware and what opsys and config so we can really understand where you are coming from here in terms of the math involved... Please do share. - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
Re: New ebay phish
New phish looks like a LEGIT ebay messege from another user I handle all problems like this at the SMTP level using the old, but extremely powerful Obtuse smtpd daemon (http://sd.inodes.org/). All inbound mail is collected by the smtpd daemon on my MX server, then passed to another machine for SA scanning and delivery. The Obtuse daemon lets you write rules based on the sending server's identity (both IP and domain name) and the data contained in the MAIL FROM and RCPT TO fields in the SMTP exchange. In the case of eBay, we only accept messages with an @ebay.com From address if they come from a server in *.ebay.com. I've found this to be a very effective deterrent to phishing scams and use it with a number of banking and financial domains. I also apply similar rules to messages from commonly-forged domains like AOL, Yahoo, hotmail, etc. This approach occasionally runs afoul of people, usually on residential connections, who erroneously use their AOL or Yahoo address in the From, but mail out through another ISP's server. When this happens I politely explain why there is a Reply-To header. We process about 100K messages a week; these problems arise at most once a month. The Obtuse daemon also has a function that can reject mail according to the domain of the sending server's DNS host. That works well with some spamming operations that have dozens of bogus domains all pointing at a common DNS host. Peter
RE: dealing with DoS attacks (Re: ALL_TRUSTED creating a problem)
Yes, I know. I'm actually one of the supertechs you refer to. Er, at least top of the food chain in that regard :-) Law enforcement in Santa Clara is excellent, but they have to focus on the big fish. This is small stuff to them. It's also just small enough to fall under the radar of most providers, which argues to me that this guy is fairly clueful. (guy because so far I've never met a woman who dealt with their emotional drama in such stupid ways) Snip You pretty much nailed it. The target is a DSL customer, so sending 100mb/sec is isn't enough to raise the eyebrows of any modern service provider, but the DSL switch receiving that flood gets fairly unhappy and the target is completely offline. -- Jo Rhett Network/Software Engineer Net Consonance Jo I kinda figured you were a supertech, so as you know document, document, document and you will eventually get the idiot... when I started doing this in the early 1990's we used to call the USWest Interprise techs in Minnesota supertechs. I made some friends there as we turned up a lot of frame relay and such... So, as you know they can put flags in the switches to watch for those traffic signs and alert log it and flag someone and they can get their Telco Cops on it... they wear a badge and can carry a gun too. It is a federal crime as I understand it, some of them wires cross state boundaries etc. :-) Best wishes - rh -- Robert - Abba Communications Computer Internet Services (509) 624-7159 - www.abbacomm.net
Re: SA Webmail Portal
On Tue, 17 Oct 2006, Billy Huddleston wrote: Okay, so next question.. might be totally out of topic for SA.. How can I make the front-end mail server know if a email exists on the backend server.. Example.. I use qmail on my front-end.. I don't like receiving tons of invalid emails just to turn around and attempt to deliver bounces that could possibly be going to honeypots or servers that don't take mail etc.. I solved this on my own domain by using a smtp vrfy script that checks against my backend mail server.. but since the other domains don't have mailboxes on my back-end server and is only setup to relay their mail, it blindly accepts EVERYTHING for them.. any suggestions? Thanks, Billy Are you asking how to prevent backscatter? http://www.google.com/search?hs=NQZhl=enlr=c2coff=1client=operarls=enq=spam+backscatterbtnG=Search If so, you'll need to look at your MTA. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University
Re: Is there any way to score this?
Micke Andersson wrote: excuse me for my ignorance, but is this really the correct approach right now, since it is quite a lot of badly configured DNS servers out there. Should this not be handled by the SMTP server as is instead! And return an error code of 421 or something like this. Like AOL has implemented at their servers, you will be informed as sender about the problem, with an URL link to http://postmaster.info.aol.com/errors/421dnsnr.html Whatever opinions you may have about AOL, when they began rejecting mail without reverse-DNS entries a few years' back, AOL's sheer size forced mail admins to make sure that their servers have both forward and reverse lookups enable. Heck, even random cable/DSL hosts usually have reverse lookups configured, usually something like 123-123-123-123.someisp.com. Most of the mail I see coming from servers without reverse-resolution is spam, usually from hosts in places like China. Moreover, I'd much rather give such messages a relatively high SA score than reject them at the SMTP level. False positives in the SMTP exchange cause ill-will with clients and their correspondents. Or if one should have this above Rule, me my self would not for the time being, have that high of a score, I give these messages a score of 3.3 with an SA criterion of 4.0; I get very few false positives. Peter
unsubscribe
unsubscribe
Re: unsubscribe
At 12:24 PM 10/17/2006, you wrote: unsubscribe As the headers of each message say: list-unsubscribe: mailto:[EMAIL PROTECTED]
MailScanner Postfix
Does someone was able to make MailScanner work correctly with Postfix?? I've MailScanner installed and configured to scan for Spam and Virus through Postfix but look like it's not working as expected, I can see that is start its job but still too much spam received. The only way for me to really and correctly block the spam are via Postfix and Spamassassin directly. If I include MailScanner into the process then lot of spam are NOT blocked. -- Gerhard Mourani -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: SA Webmail Portal
Billy Huddleston wrote: Anyone developed a webmail portal for Spamassassin? What I mean by this is.. Some sort of webmail which only has a spam folder so people can see their spam.. anything else passes on through.. I'm running SA in two manners.. One of which is going directly to my pop server and tags all the spam.. and my pop server files stuff away accordingly.. but, I'm also providing spam tagging services for other customers.. whom are now requesting that they not get the spam, but have a webmail portal page similar to Postini's (also a nice place to adjust their scores) Thanks, Billy If I understand your question then yes. We currently Virus scan and spam filter on our mail gateways and then forward to our toasters inside. We also do mail filtering for other clients Exchange servers outside our network. We setup MailScanner to hold all tagged spam within the quarantine and we send a daily quarantine report to each user every day. The user can then log into their quarantine and release spam messages which will then be delivered normally. We use a heavily modified version of MailWatch for MailScanner to do this. DAve -- Three years now I've asked Google why they don't have a logo change for Memorial Day. Why do they choose to do logos for other non-international holidays, but nothing for Veterans? Maybe they forgot who made that choice possible.
sare suggestions.
ylan Bouterse wrote: What SARE channels are you subscribing to? I just got the rules_du_jour script running and added several SARE channels and I'm seeing SARE in my amavisd log a LOT. Just wondering if there are certain hightly recommended rule sets to use and those to stay away from that are too strick and product false positives. Thanks for your feedback. Please don't ask for offlist help. Either everyone cares about the topic, or perhaps you shouldn't be mailing me anyway? I don't use rulesdujour because it seems like too much hackery. sa-update (included with spamassassin) does it all very cleanly, and is supported by the team. (sa-update is newer than rdj, so it's not really rdj's fault) Frankly, I subscribed to almost every single ruleset on the rulesemporium page. If I skipped any that weren't do not use then I don't know what they were. -- Jo Rhett Network/Software Engineer Net Consonance
Re: New ebay phish
On Tue, 17 Oct 2006, Peter H. Lemieux wrote: The Obtuse daemon also has a function that can reject mail according to the domain of the sending server's DNS host. That works well with some spamming operations that have dozens of bogus domains all pointing at a common DNS host. Any stats for that? -- John Hardin KA7OHZICQ#15735746http://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...the Fates notice those who buy chainsaws... -- www.darwinawards.com --- 14 days until Halloween
Re: What's with UCEPROTECT List?
Marc Perkel wrote: Sender Verification is an Exim trick. What it does is start a sequence where my server starts to send an email back to the sender address to see if it's a real email account. But I do a quit after the rctp to: command. If the receiving end says the user doesn't exist then I block the email. My incoming servers know literally nothing about which users have valid addresses and which do not. All these servers do is accept or reject inbound mail based on a (long) list of SMTP-level rules and forward the messages that are accepted to another machine for SA and virus scanning. If sender verification requires that the incoming server have a complete list of valid mailboxes, it's going to fail miserably here. I don't see anything in the RFCs that makes my configuration non-compliant, do you?
RE: sare suggestions.
Thank you. -Original Message- From: Jo Rhett [mailto:[EMAIL PROTECTED] Sent: Tuesday, October 17, 2006 3:59 PM To: Dylan Bouterse; list_spamassassin Subject: sare suggestions. ylan Bouterse wrote: What SARE channels are you subscribing to? I just got the rules_du_jour script running and added several SARE channels and I'm seeing SARE in my amavisd log a LOT. Just wondering if there are certain hightly recommended rule sets to use and those to stay away from that are too strick and product false positives. Thanks for your feedback. Please don't ask for offlist help. Either everyone cares about the topic, or perhaps you shouldn't be mailing me anyway? I don't use rulesdujour because it seems like too much hackery. sa-update (included with spamassassin) does it all very cleanly, and is supported by the team. (sa-update is newer than rdj, so it's not really rdj's fault) Frankly, I subscribed to almost every single ruleset on the rulesemporium page. If I skipped any that weren't do not use then I don't know what they were. -- Jo Rhett Network/Software Engineer Net Consonance
R: What's with UCEPROTECT List?
Marc Perkel wrote: Sender Verification is an Exim trick. What it does is start a sequence where my server starts to send an email back to the sender address to see if it's a real email account. But I do a quit after the rctp to: command. If the receiving end says the user doesn't exist then I block the email. My incoming servers know literally nothing about which users have valid addresses and which do not. All these servers do is accept or reject inbound mail based on a (long) list of SMTP-level rules and forward the messages that are accepted to another machine for SA and virus scanning. If sender verification requires that the incoming server have a complete list of valid mailboxes, it's going to fail miserably here. I don't see anything in the RFCs that makes my configuration non-compliant, do you? Just to know, how exim's sender verification function copes with greylisting? I mean, at the first time exim attempts to check some user mailbox on a given mx with greylisting functions, it gets a 450 reply code. Does exim assumes the sender address is forged in that case? --- Giampaolo Tomassoni - IT Consultant Piazza VIII Aprile 1948, 4 I-53044 Chiusi (SI) - Italy Ph: +39-0578-21100
Re: ALL_TRUSTED creating a problem
On Tue, 17 Oct 2006, Jo Rhett wrote:
Bowie Bailey wrote:
Unless you specify it in the configuration, SA has no idea what
servers are local for you. In this case, it has to make a guess so it
makes the (fairly reasonable) assumption that the most recent received
header comes from a local MX.
Oh. I get it. We're trusting headers to be more accurate than
getifaddrs() ? Am I supposed to agree that this makes sense? Seriously...
Yes, because the headers are -supposed- to be the audit-trail that
reports the networks that the SMTP sessions passed thru. These may
have nothing to do with the network that the SA box sits on.
It is entirely resonable to have a SA scanning appliance that has
NO smtp traffic on it, it might even be on a completely different
network from the MTA hosts (the MTAs would be using spamc/spamd connects
to get the messages to the SA appliance). In which case if
SA were to assume that the local interfaces that it can fondle
have anything to do with the mail stream would be seriously broken.
BWT, RFC-2821 section 4.4 states that SMTP servers MUST add
Rececived headers that indicate the x-fer of the message.
So for your milter to hand a message to SA that lacks the corresponding
Received header cannot be anything but broken.
--
Dave Funk University of Iowa
dbfunk (at) engineering.uiowa.eduCollege of Engineering
319/335-5751 FAX: 319/384-0549 1256 Seamans Center
Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527
#include std_disclaimer.h
Better is not better, 'standard' is better. B{
