RE: Big trouble
There is another discussion on this list about rules that catch these sorts of messages. Check that out for ideas. For what it is worth these are the rules I get: Content analysis details: (10.5 points, 5.0 required) pts rule name description -- -- 2.9 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel letters 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails 0.6 J_CHICKENPOX_14BODY: 1alpha-pock-4alpha 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 2.4 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: sender on bogons IP block [102.176.29.76 listed in combined-HIB.dnsiplists.completewhois.com] 1.0 RCVD_IN_JANET_RBL RBL: Relay in JANET MAPS RBL+ RBL [102.176.29.76 listed in rbl-plus.mail-abuse.ja.net] 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay I get: pts rule name description -- -- 2.9 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel letters 0.1 TW_GD BODY: Odd Letter Triples with GD 0.1 TW_LG BODY: Odd Letter Triples with LG -0.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.3955] 2.4 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: sender on bogons IP block [102.176.29.76 listed in combined-HIB.dnsiplists.completewhois.com] 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay 0.6 AWLAWL: From: address is in the auto white-list But only after some hours that I have received the messages.. I suppose that at that time the score assigned by your SA was lower than you just report above.. (maybe at that time, the IP 102.176.29.76 was not-DNSBListed ). Anyway, I figure out that your SA use different rulesets of mine.. Could you instruct me about a good set of ruleset I have to use to lower the chance that spam pass trhough my spam-scanner, maintaining a good level of performance? TIA, rocsca
RE: Big trouble
2.4 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: sender on bogons IP block [102.176.29.76 listed in combined-HIB.dnsiplists.completewhois.com] I wonder why score for RCVD_IN_WHOIS_BOGONS is 0 in 3.2.0-rc1 ? (unlike RCVD_IN_WHOIS_INVALID and RCVD_IN_WHOIS_HIJACKED, which are nonzero) rules/50_scores.cf : score RCVD_IN_WHOIS_BOGONS 0 # n=0 n=1 n=2 n=3 I don't understand.. maybe my remark is wrong, but I get this score for the rules above: 2.4 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: sender on bogons IP block [102.176.29.76 listed in combined-HIB.dnsiplists.completewhois.com] Anyway, what implies you that the score for RCVD_IN_WHOIS_BOGONS is 0? rocsca
Re: Big trouble
Hi, Rocco Scappatura wrote: There is another discussion on this list about rules that catch these sorts of messages. Check that out for ideas. For what it is worth these are the rules I get: Content analysis details: (10.5 points, 5.0 required) pts rule name description -- -- 2.9 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel letters 0.1 FORGED_RCVD_HELO Received: contains a forged HELO 0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain signs some mails 0.6 J_CHICKENPOX_14BODY: 1alpha-pock-4alpha 3.5 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] 2.4 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: sender on bogons IP block [102.176.29.76 listed in combined-HIB.dnsiplists.completewhois.com] 1.0 RCVD_IN_JANET_RBL RBL: Relay in JANET MAPS RBL+ RBL [102.176.29.76 listed in rbl-plus.mail-abuse.ja.net] 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay I get: pts rule name description -- -- 2.9 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel letters 0.1 TW_GD BODY: Odd Letter Triples with GD 0.1 TW_LG BODY: Odd Letter Triples with LG -0.2 BAYES_40 BODY: Bayesian spam probability is 20 to 40% [score: 0.3955] 2.4 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: sender on bogons IP block [102.176.29.76 listed in combined-HIB.dnsiplists.completewhois.com] 0.0 MSGID_FROM_MTA_HEADER Message-Id was added by a relay 0.6 AWLAWL: From: address is in the auto white-list But only after some hours that I have received the messages.. I suppose that at that time the score assigned by your SA was lower than you just report above.. (maybe at that time, the IP 102.176.29.76 was not-DNSBListed ). Anyway, I figure out that your SA use different rulesets of mine.. Could you instruct me about a good set of ruleset I have to use to lower the chance that spam pass trhough my spam-scanner, maintaining a good level of performance? The biggest difference is that my Bayes system scored it as BAYES_99 which adds 3.5 points, and your Bayes system scored it as BAYES_40 which subtracted 0.2 points. I did get a few of those emails come through at the start, but by feeding them into my Bayes system they now get caught. -- Anthony Peacock CHIME, Royal Free University College Medical School WWW:http://www.chime.ucl.ac.uk/~rmhiajp/ If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas. -- George Bernard Shaw
Re: KAUF-TIPP DER WOCHE spam getting through
On 3/28/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: On Wed, 28 Mar 2007, Panagiotis Christias wrote: the last days we get a lot of spam like this: KAUF-TIPP DER WOCHE I wrote a few of my own rules especially to catch those stocks scams together with bayes. If you don't have any people who should write you in German you can also use the X-Languages tag to boost the score if the mail is written in German. Here are my current rules, which should also catch the German stocks. Maybe there are some false positives in a real stock environment, but for me they work fine: body __HILO_STOCKS1 /(High|Low|Curr[e3]nt|Cur(r|\r.|r[e3]nt|\.)\ P(ric[e3])?|Pric[e3]|Last)[\:\ \t]+\$[\d\ ]+?(.*)(Last|Low|Growth|Grow||High|Sale|Pric[e3]|Vol|[E3]xp)[\:\ \t]+/i body __HILO_STOCKS2 /curr[e3]n[t7](ly)?[\ \t\_]+?\:[\ \t\_\$]+?\d/i body __HILO_STOCKS2 /[e3](x|ks)p[e3]ct[e3]d?[\ \t\_]+?\:[\ \t\_\$]+?\d/i body __HILO_STOCKS3 /our[\ \t\_]+?(last[\ ]+?)?pick[\:\ \t\_\;\=\,]/i body __HILO_STOCKS4 /\d[\ \t\_]+?(c[e3]nt|dollar|[e3]ur|p[e3]nc[e3])/i body __HILO_STOCKS5 /(c[e3]nt|dollar|[e3]ur[o]?|p[e3]nc[e3])[\ \t\_]+?\d/ibody __HILO_STOCKS9 /(hot[\ \t\_]+?list|r[e3]cord|publicity\ |n[e3]ws\ |invest|incr[e3]as[e3]|[e3]xplosion|high\ |pr[e3]mium|mark[e3]t|al[e3]rt|sym[b8]ol|the\ rush|your\ radar|g[e3]t\ [i1]n|schluss\-?stand|prognose|kauf\-?tip)/i meta HILO_STOCKS ( ( __HILO_STOCKS1 || __HILO_STOCKS2 || __HILO_STOCKS3 || __HILO_STOCKS4 || __HILO_STOCKS5 ) __HILO_STOCKS9 ) describe HILO_STOCKS Looks like stocks scam score HILO_STOCKS 3.0 my custom rule is just: # KAUF_TIPP custom rule - christia Wed Mar 28 11:51:05 EEST 2007 body KAUF_TIPP /^KAUF-TIPP DER WOCHE$/ describe KAUF_TIPP German pump and dump stock spam with extremely low scores score KAUF_TIPP 4.0 a bit rough may be..
Re: Big trouble
Rocco, 2.4 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: sender on I wonder why score for RCVD_IN_WHOIS_BOGONS is 0 in 3.2.0-rc1 ? I don't understand.. maybe my remark is wrong, but I [do] get this score for the rules above I said '3.2.0-rc1', didn't I? Btw, I got 1800 messages hitting RCVD_IN_WHOIS_BOGONS in the last 24 hours since I re-enabled the rule. (like 50.30.64.209, 180.48.158.64, 94.130.200.203, ...); 6 of these were possibly false positives (unconfirmed, half of them from the same mailing list). Could it be that the combined-HIB.dnsiplists.completewhois.com chokes under the load of a GA/perceptron run and stops responding? I've seen it unresponsive yesterday for about half an hour. Mark
RE: whitelist and blacklist problem
Hi, I have three servers and all have same problem. i have sent you example of the different servers so that the version diffrence occurs. Thanks Fabien GARZIANO wrote: Hi, I don't know the answer to your question. But something looks weird in your example : Case 1 : version=3.1.8 Case 2 : version=3.0.5 Are you using the same SA setup for both cases ? I Hope it helps. -Message d'origine- De : lalit [mailto:[EMAIL PROTECTED] Envoyé : jeudi 29 mars 2007 09:52 À : users@spamassassin.apache.org Objet : whitelist and blacklist problem i have configure spamassassin with mysql. now it fetch whitelist and blacklist data from userpref table. but mail detect as spam in both cases either user in whitelist or in blacklist. and spam report shows that user in blacklist and user in whitelist case 1 when user in whitelist X-Spam-Status: No, score=0.5 required=5.0 tests=AWL,HTML_MESSAGE, MIME_HTML_MOSTLY,USER_IN_BLACKLIST,USER_IN_WHITELIST autolearn=no version=3.1.8 case 2 when user in blacklist or not in whitelist it gives correct report X-Spam-Status: Yes, score=100.8 required=5.0 tests=AWL,HTML_90_100, HTML_MESSAGE,NO_DNS_FOR_FROM,USER_IN_BLACKLIST autolearn=no version=3.0.5 X-Spam-Report: * 100 USER_IN_BLACKLIST From: address is in the user's black-list * 0.2 HTML_90_100 BODY: Message is 90% to 100% HTML * 0.0 HTML_MESSAGE BODY: HTML included in message * 1.1 NO_DNS_FOR_FROM DNS: Envelope sender has no MX or A DNS records * -0.5 AWL AWL: From: address is in the auto white-list how can i fix it ? what is the cause of the problem? -- View this message in context: http://www.nabble.com/whitelist-and-blacklist-problem-tf348490 0.html#a9728558 Sent from the SpamAssassin - Users mailing list archive at Nabble.com. -- View this message in context: http://www.nabble.com/whitelist-and-blacklist-problem-tf3484900.html#a9730957 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Big trouble
Mark Martinec writes: Rocco, 2.4 RCVD_IN_WHOIS_BOGONS RBL: CompleteWhois: sender on I wonder why score for RCVD_IN_WHOIS_BOGONS is 0 in 3.2.0-rc1 ? I don't understand.. maybe my remark is wrong, but I [do] get this score for the rules above I said '3.2.0-rc1', didn't I? Btw, I got 1800 messages hitting RCVD_IN_WHOIS_BOGONS in the last 24 hours since I re-enabled the rule. (like 50.30.64.209, 180.48.158.64, 94.130.200.203, ...); 6 of these were possibly false positives (unconfirmed, half of them from the same mailing list). Yeah, there's a bug in the bz reporting that some big company uses bogon space internally, instead of the 10.x or 192.168.x networks, and that this escapes via the Received headers causing FPs Could it be that the combined-HIB.dnsiplists.completewhois.com chokes under the load of a GA/perceptron run and stops responding? I've seen it unresponsive yesterday for about half an hour. odd. I guess that's a possibility... :( --j.
Re: /etc/spamassassin or /var/lib/spamassassin?
Hi, I have changed my reporting so it provides more information, and run --test-mode with a message marked as spam, that should be whitelisted whitelist.cf contents: whitelist_from [EMAIL PROTECTED] when running spamassassin -D --lint, I see the following line [18351] dbg: config: read file /etc/spamassassin/whitelist.cf But when running test mode I still do not get any reports on it being hit by the whitelist. Help! On Wed, Mar 28, 2007 at 03:51:43PM +0100, Mark Adams wrote: On Thu, Mar 22, 2007 at 04:40:27PM -0400, Bowie Bailey wrote: Mark Adams wrote: On Fri, Mar 02, 2007 at 10:06:51AM -0500, Bowie Bailey wrote: Is it scoring the whitelist lower or is it just not hitting? Can you post your whitelist rule and the headers from an example message? And why do you think this message should have hit the whitelist? Show me the From line in the email. Hi, Header excerpt below. Once again help appreciated. From: Guy Graham [EMAIL PROTECTED] X-Spam-Score: 40 X-Spam-Report: hits=4.0 required=5.0 test=NO_RDNS,VOWEL_FROM_7 X-Original-Recipient: [EMAIL PROTECTED]
Re: /etc/spamassassin or /var/lib/spamassassin?
Hi, I would think we need to see the FULL headers of this example email before anyone can comment. Mark Adams wrote: Hi, I have changed my reporting so it provides more information, and run --test-mode with a message marked as spam, that should be whitelisted whitelist.cf contents: whitelist_from [EMAIL PROTECTED] when running spamassassin -D --lint, I see the following line [18351] dbg: config: read file /etc/spamassassin/whitelist.cf But when running test mode I still do not get any reports on it being hit by the whitelist. Help! On Wed, Mar 28, 2007 at 03:51:43PM +0100, Mark Adams wrote: On Thu, Mar 22, 2007 at 04:40:27PM -0400, Bowie Bailey wrote: Mark Adams wrote: On Fri, Mar 02, 2007 at 10:06:51AM -0500, Bowie Bailey wrote: Is it scoring the whitelist lower or is it just not hitting? Can you post your whitelist rule and the headers from an example message? And why do you think this message should have hit the whitelist? Show me the From line in the email. Hi, Header excerpt below. Once again help appreciated. From: Guy Graham [EMAIL PROTECTED] X-Spam-Score: 40 X-Spam-Report: hits=4.0 required=5.0 test=NO_RDNS,VOWEL_FROM_7 X-Original-Recipient: [EMAIL PROTECTED] -- Anthony Peacock CHIME, Royal Free University College Medical School WWW:http://www.chime.ucl.ac.uk/~rmhiajp/ If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas. -- George Bernard Shaw
Using Postfix always_bcc for catching messages
I am running Postfix 2.3.5 with SA 3.1.7 and amavisd-new. If I catch a copy of all messages using the Postfix option of always_bcc, will this work when learning those messages? I am wondering if the bcc address being in the header of all those messages will cause any learning issues regarding the address. -- Robert
Re: /etc/spamassassin or /var/lib/spamassassin?
Thanks for you reply. Why would this make any difference? The headers checked for whitelist addresses are as follows: if Resent-From is set, use that; otherwise check all addresses taken from the following set of headers: Envelope-Sender Resent-Sender X-Envelope-From From The only header that matches is From: which is the header I posted below. It seems as if it is not reading the whitelist_from entries at all. Or whitelisting is somehow disabled, is that possible? On Thu, Mar 29, 2007 at 02:19:06PM +0100, Anthony Peacock wrote: Hi, I would think we need to see the FULL headers of this example email before anyone can comment. Mark Adams wrote: Hi, I have changed my reporting so it provides more information, and run --test-mode with a message marked as spam, that should be whitelisted whitelist.cf contents: whitelist_from [EMAIL PROTECTED] when running spamassassin -D --lint, I see the following line [18351] dbg: config: read file /etc/spamassassin/whitelist.cf But when running test mode I still do not get any reports on it being hit by the whitelist. Help! On Wed, Mar 28, 2007 at 03:51:43PM +0100, Mark Adams wrote: On Thu, Mar 22, 2007 at 04:40:27PM -0400, Bowie Bailey wrote: Mark Adams wrote: On Fri, Mar 02, 2007 at 10:06:51AM -0500, Bowie Bailey wrote: Is it scoring the whitelist lower or is it just not hitting? Can you post your whitelist rule and the headers from an example message? And why do you think this message should have hit the whitelist? Show me the From line in the email. Hi, Header excerpt below. Once again help appreciated. From: Guy Graham [EMAIL PROTECTED] X-Spam-Score: 40 X-Spam-Report: hits=4.0 required=5.0 test=NO_RDNS,VOWEL_FROM_7 X-Original-Recipient: [EMAIL PROTECTED] -- Anthony Peacock CHIME, Royal Free University College Medical School WWW:http://www.chime.ucl.ac.uk/~rmhiajp/ If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas. -- George Bernard Shaw
Re: /etc/spamassassin or /var/lib/spamassassin?
Hi, Because, more often than not, the reason that whitelisting is not matching is that the headers you think are matching are not. Or there is a type in the whitelist.cf file. By not allowing us to see the entire header, you are making us guess. Mark Adams wrote: Thanks for you reply. Why would this make any difference? The headers checked for whitelist addresses are as follows: if Resent-From is set, use that; otherwise check all addresses taken from the following set of headers: Envelope-Sender Resent-Sender X-Envelope-From From The only header that matches is From: which is the header I posted below. It seems as if it is not reading the whitelist_from entries at all. Or whitelisting is somehow disabled, is that possible? On Thu, Mar 29, 2007 at 02:19:06PM +0100, Anthony Peacock wrote: Hi, I would think we need to see the FULL headers of this example email before anyone can comment. Mark Adams wrote: Hi, I have changed my reporting so it provides more information, and run --test-mode with a message marked as spam, that should be whitelisted whitelist.cf contents: whitelist_from [EMAIL PROTECTED] when running spamassassin -D --lint, I see the following line [18351] dbg: config: read file /etc/spamassassin/whitelist.cf But when running test mode I still do not get any reports on it being hit by the whitelist. Help! On Wed, Mar 28, 2007 at 03:51:43PM +0100, Mark Adams wrote: On Thu, Mar 22, 2007 at 04:40:27PM -0400, Bowie Bailey wrote: Mark Adams wrote: On Fri, Mar 02, 2007 at 10:06:51AM -0500, Bowie Bailey wrote: Is it scoring the whitelist lower or is it just not hitting? Can you post your whitelist rule and the headers from an example message? And why do you think this message should have hit the whitelist? Show me the From line in the email. Hi, Header excerpt below. Once again help appreciated. From: Guy Graham [EMAIL PROTECTED] X-Spam-Score: 40 X-Spam-Report: hits=4.0 required=5.0 test=NO_RDNS,VOWEL_FROM_7 X-Original-Recipient: [EMAIL PROTECTED] -- Anthony Peacock CHIME, Royal Free University College Medical School WWW:http://www.chime.ucl.ac.uk/~rmhiajp/ If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas. -- George Bernard Shaw -- Anthony Peacock CHIME, Royal Free University College Medical School WWW:http://www.chime.ucl.ac.uk/~rmhiajp/ If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas. -- George Bernard Shaw
Re: /etc/spamassassin or /var/lib/spamassassin?
Ok, Fair enough.. I will change this listing to a whitelist_from_rcvd as I assume this list is farmed by spammers. (Should be using that always of course!) Header below. Envelope-to: [EMAIL PROTECTED] Received: from hopnet.hopkins.co.uk ([10.0.0.23] helo=mail.hopkins.co.uk) by hopkins.co.uk with esmtp (Exim 4.63) (envelope-from [EMAIL PROTECTED]) id 1HWSt9-0005j0-CG for [EMAIL PROTECTED]; Wed, 28 Mar 2007 08:48:11 +0100 Received: from [195.110.64.125] (helo=smtp.uk.colt.net) by mail.hopkins.co.uk with esmtp (Exim 4.63) (envelope-from [EMAIL PROTECTED]) id 1HWSt4-0005FR-5z for [EMAIL PROTECTED]; Wed, 28 Mar 2007 08:48:11 +0100 Received: from mail.pdcmltd.co.uk (unknown [213.86.218.37]) by smtp.uk.colt.net (Postfix) with ESMTP id 721B2126151; Wed, 28 Mar 2007 08:42:47 +0100 (BST) Content-Class: urn:content-classes:message Content-Transfer-Encoding: 7bit Subject: Bury St Edmunds - Unit SU34 Importance: normal Priority: normal MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=_=_NextPart_001_01C7710E.58A560A4 Date: Wed, 28 Mar 2007 08:54:43 +0100 Message-ID: [EMAIL PROTECTED] X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.607 X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Bury St Edmunds - Unit SU34 thread-index: AcdxDTLGeReHjG9FQsG+HfB3+1kiMg== From: Guy Graham [EMAIL PROTECTED] To: James Stonard [EMAIL PROTECTED], Steve Sawyer [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], Lindsay,Peter [EMAIL PROTECTED], Tony White [EMAIL PROTECTED] Cc: Ivan Stephenson [EMAIL PROTECTED] X-Spam-Score: 40 X-Spam-Report: hits=4.0 required=5.0 test=NO_RDNS,VOWEL_ X-Original-Recipient: [EMAIL PROTECTED] This is a multi-part message in MIME format. On Thu, Mar 29, 2007 at 03:03:10PM +0100, Anthony Peacock wrote: Hi, Because, more often than not, the reason that whitelisting is not matching is that the headers you think are matching are not. Or there is a type in the whitelist.cf file. By not allowing us to see the entire header, you are making us guess. Mark Adams wrote: Thanks for you reply. Why would this make any difference? The headers checked for whitelist addresses are as follows: if Resent-From is set, use that; otherwise check all addresses taken from the following set of headers: Envelope-Sender Resent-Sender X-Envelope-From From The only header that matches is From: which is the header I posted below. It seems as if it is not reading the whitelist_from entries at all. Or whitelisting is somehow disabled, is that possible? On Thu, Mar 29, 2007 at 02:19:06PM +0100, Anthony Peacock wrote: Hi, I would think we need to see the FULL headers of this example email before anyone can comment. Mark Adams wrote: Hi, I have changed my reporting so it provides more information, and run --test-mode with a message marked as spam, that should be whitelisted whitelist.cf contents: whitelist_from [EMAIL PROTECTED] when running spamassassin -D --lint, I see the following line [18351] dbg: config: read file /etc/spamassassin/whitelist.cf But when running test mode I still do not get any reports on it being hit by the whitelist. Help! On Wed, Mar 28, 2007 at 03:51:43PM +0100, Mark Adams wrote: On Thu, Mar 22, 2007 at 04:40:27PM -0400, Bowie Bailey wrote: Mark Adams wrote: On Fri, Mar 02, 2007 at 10:06:51AM -0500, Bowie Bailey wrote: Is it scoring the whitelist lower or is it just not hitting? Can you post your whitelist rule and the headers from an example message? And why do you think this message should have hit the whitelist? Show me the From line in the email. Hi, Header excerpt below. Once again help appreciated. From: Guy Graham [EMAIL PROTECTED] X-Spam-Score: 40 X-Spam-Report: hits=4.0 required=5.0 test=NO_RDNS,VOWEL_FROM_7 X-Original-Recipient: [EMAIL PROTECTED] -- Anthony Peacock CHIME, Royal Free University College Medical School WWW:http://www.chime.ucl.ac.uk/~rmhiajp/ If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas. -- George Bernard Shaw -- Anthony Peacock CHIME, Royal Free University College Medical School WWW:http://www.chime.ucl.ac.uk/~rmhiajp/ If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas. -- George Bernard Shaw
Re: /etc/spamassassin or /var/lib/spamassassin?
I should also mention, we have a gateway mail server hence the extra header. the spam scanning is done on the first header, so for proof this is pasted below. Regards, From [EMAIL PROTECTED] Wed Mar 28 08:48:11 2007 Return-path: [EMAIL PROTECTED] Envelope-to: [EMAIL PROTECTED] Received: from [195.110.64.125] (helo=smtp.uk.colt.net) by mail.hopkins.co.uk with esmtp (Exim 4.63) (envelope-from [EMAIL PROTECTED]) id 1HWSt4-0005FR-5z for [EMAIL PROTECTED]; Wed, 28 Mar 2007 08:48:11 +0100 Received: from mail.pdcmltd.co.uk (unknown [213.86.218.37]) by smtp.uk.colt.net (Postfix) with ESMTP id 721B2126151; Wed, 28 Mar 2007 08:42:47 +0100 (BST) Content-Class: urn:content-classes:message Content-Transfer-Encoding: 7bit Subject: Bury St Edmunds - Unit SU34 Importance: normal Priority: normal MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=_=_NextPart_001_01C7710E.58A560A4 Date: Wed, 28 Mar 2007 08:54:43 +0100 Message-ID: [EMAIL PROTECTED] X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.607 X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Bury St Edmunds - Unit SU34 thread-index: AcdxDTLGeReHjG9FQsG+HfB3+1kiMg== From: Guy Graham [EMAIL PROTECTED] To: James Stonard [EMAIL PROTECTED], Steve Sawyer [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], Lindsay,Peter [EMAIL PROTECTED], Tony White [EMAIL PROTECTED] Cc: Ivan Stephenson [EMAIL PROTECTED] X-Redirect-To: [EMAIL PROTECTED] X-Spam-Score: 40 X-Spam-Report: hits=4.0 required=5.0 test=NO_RDNS,VOWEL_FROM_7 This is a multi-part message in MIME format. On Thu, Mar 29, 2007 at 03:11:15PM +0100, Mark Adams wrote: Ok, Fair enough.. I will change this listing to a whitelist_from_rcvd as I assume this list is farmed by spammers. (Should be using that always of course!) Header below. Envelope-to: [EMAIL PROTECTED] Received: from hopnet.hopkins.co.uk ([10.0.0.23] helo=mail.hopkins.co.uk) by hopkins.co.uk with esmtp (Exim 4.63) (envelope-from [EMAIL PROTECTED]) id 1HWSt9-0005j0-CG for [EMAIL PROTECTED]; Wed, 28 Mar 2007 08:48:11 +0100 Received: from [195.110.64.125] (helo=smtp.uk.colt.net) by mail.hopkins.co.uk with esmtp (Exim 4.63) (envelope-from [EMAIL PROTECTED]) id 1HWSt4-0005FR-5z for [EMAIL PROTECTED]; Wed, 28 Mar 2007 08:48:11 +0100 Received: from mail.pdcmltd.co.uk (unknown [213.86.218.37]) by smtp.uk.colt.net (Postfix) with ESMTP id 721B2126151; Wed, 28 Mar 2007 08:42:47 +0100 (BST) Content-Class: urn:content-classes:message Content-Transfer-Encoding: 7bit Subject: Bury St Edmunds - Unit SU34 Importance: normal Priority: normal MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=_=_NextPart_001_01C7710E.58A560A4 Date: Wed, 28 Mar 2007 08:54:43 +0100 Message-ID: [EMAIL PROTECTED] X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.607 X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Bury St Edmunds - Unit SU34 thread-index: AcdxDTLGeReHjG9FQsG+HfB3+1kiMg== From: Guy Graham [EMAIL PROTECTED] To: James Stonard [EMAIL PROTECTED], Steve Sawyer [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], Lindsay,Peter [EMAIL PROTECTED], Tony White [EMAIL PROTECTED] Cc: Ivan Stephenson [EMAIL PROTECTED] X-Spam-Score: 40 X-Spam-Report: hits=4.0 required=5.0 test=NO_RDNS,VOWEL_ X-Original-Recipient: [EMAIL PROTECTED] This is a multi-part message in MIME format. On Thu, Mar 29, 2007 at 03:03:10PM +0100, Anthony Peacock wrote: Hi, Because, more often than not, the reason that whitelisting is not matching is that the headers you think are matching are not. Or there is a type in the whitelist.cf file. By not allowing us to see the entire header, you are making us guess. Mark Adams wrote: Thanks for you reply. Why would this make any difference? The headers checked for whitelist addresses are as follows: if Resent-From is set, use that; otherwise check all addresses taken from the following set of headers: Envelope-Sender Resent-Sender X-Envelope-From From The only header that matches is From: which is the header I posted below. It seems as if it is not reading the whitelist_from entries at all. Or whitelisting is somehow disabled, is that possible? On Thu, Mar 29, 2007 at 02:19:06PM +0100, Anthony Peacock wrote: Hi, I would think we need to see the FULL headers of this example email before anyone can comment. Mark Adams wrote: Hi, I have changed my reporting so it provides more information, and run --test-mode with a message marked as spam, that should be whitelisted whitelist.cf contents: whitelist_from [EMAIL PROTECTED] when running spamassassin -D --lint, I see the following line [18351] dbg: config: read file
Re: /etc/spamassassin or /var/lib/spamassassin?
Hi, Nothing jumps out at me just looking at that. You said you ran --lint with -D, did you run -t with -D? Your Spam report is truncated so we can't see which rules are hit. When you run spamassassin in test mode you should see a fuller report of the rules that hit. Mark Adams wrote: Ok, Fair enough.. I will change this listing to a whitelist_from_rcvd as I assume this list is farmed by spammers. (Should be using that always of course!) Header below. Envelope-to: [EMAIL PROTECTED] Received: from hopnet.hopkins.co.uk ([10.0.0.23] helo=mail.hopkins.co.uk) by hopkins.co.uk with esmtp (Exim 4.63) (envelope-from [EMAIL PROTECTED]) id 1HWSt9-0005j0-CG for [EMAIL PROTECTED]; Wed, 28 Mar 2007 08:48:11 +0100 Received: from [195.110.64.125] (helo=smtp.uk.colt.net) by mail.hopkins.co.uk with esmtp (Exim 4.63) (envelope-from [EMAIL PROTECTED]) id 1HWSt4-0005FR-5z for [EMAIL PROTECTED]; Wed, 28 Mar 2007 08:48:11 +0100 Received: from mail.pdcmltd.co.uk (unknown [213.86.218.37]) by smtp.uk.colt.net (Postfix) with ESMTP id 721B2126151; Wed, 28 Mar 2007 08:42:47 +0100 (BST) Content-Class: urn:content-classes:message Content-Transfer-Encoding: 7bit Subject: Bury St Edmunds - Unit SU34 Importance: normal Priority: normal MIME-Version: 1.0 Content-Type: multipart/alternative; boundary=_=_NextPart_001_01C7710E.58A560A4 Date: Wed, 28 Mar 2007 08:54:43 +0100 Message-ID: [EMAIL PROTECTED] X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.607 X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Bury St Edmunds - Unit SU34 thread-index: AcdxDTLGeReHjG9FQsG+HfB3+1kiMg== From: Guy Graham [EMAIL PROTECTED] To: James Stonard [EMAIL PROTECTED], Steve Sawyer [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], Lindsay,Peter [EMAIL PROTECTED], Tony White [EMAIL PROTECTED] Cc: Ivan Stephenson [EMAIL PROTECTED] X-Spam-Score: 40 X-Spam-Report: hits=4.0 required=5.0 test=NO_RDNS,VOWEL_ X-Original-Recipient: [EMAIL PROTECTED] This is a multi-part message in MIME format. On Thu, Mar 29, 2007 at 03:03:10PM +0100, Anthony Peacock wrote: Hi, Because, more often than not, the reason that whitelisting is not matching is that the headers you think are matching are not. Or there is a type in the whitelist.cf file. By not allowing us to see the entire header, you are making us guess. Mark Adams wrote: Thanks for you reply. Why would this make any difference? The headers checked for whitelist addresses are as follows: if Resent-From is set, use that; otherwise check all addresses taken from the following set of headers: Envelope-Sender Resent-Sender X-Envelope-From From The only header that matches is From: which is the header I posted below. It seems as if it is not reading the whitelist_from entries at all. Or whitelisting is somehow disabled, is that possible? On Thu, Mar 29, 2007 at 02:19:06PM +0100, Anthony Peacock wrote: Hi, I would think we need to see the FULL headers of this example email before anyone can comment. Mark Adams wrote: Hi, I have changed my reporting so it provides more information, and run --test-mode with a message marked as spam, that should be whitelisted whitelist.cf contents: whitelist_from [EMAIL PROTECTED] when running spamassassin -D --lint, I see the following line [18351] dbg: config: read file /etc/spamassassin/whitelist.cf But when running test mode I still do not get any reports on it being hit by the whitelist. Help! On Wed, Mar 28, 2007 at 03:51:43PM +0100, Mark Adams wrote: On Thu, Mar 22, 2007 at 04:40:27PM -0400, Bowie Bailey wrote: Mark Adams wrote: On Fri, Mar 02, 2007 at 10:06:51AM -0500, Bowie Bailey wrote: Is it scoring the whitelist lower or is it just not hitting? Can you post your whitelist rule and the headers from an example message? And why do you think this message should have hit the whitelist? Show me the From line in the email. Hi, Header excerpt below. Once again help appreciated. From: Guy Graham [EMAIL PROTECTED] X-Spam-Score: 40 X-Spam-Report: hits=4.0 required=5.0 test=NO_RDNS,VOWEL_FROM_7 X-Original-Recipient: [EMAIL PROTECTED] -- Anthony Peacock CHIME, Royal Free University College Medical School WWW:http://www.chime.ucl.ac.uk/~rmhiajp/ If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas. -- George Bernard Shaw -- Anthony Peacock CHIME, Royal Free University College Medical School WWW:http://www.chime.ucl.ac.uk/~rmhiajp/ If you have an apple and I have an apple and we exchange apples then you and I will still each have one apple. But if you have an idea and I have an idea and we exchange these ideas, then each of us will have two ideas. -- George Bernard Shaw -- Anthony Peacock CHIME, Royal Free
Re: Big trouble
On Thu, Mar 29, 2007 at 12:37:56PM +0100, Justin Mason wrote: Could it be that the combined-HIB.dnsiplists.completewhois.com chokes under the load of a GA/perceptron run and stops responding? I've seen it unresponsive yesterday for about half an hour. odd. I guess that's a possibility... :( Well, no actually, it couldn't possibly have anything to do with that -- the GA and perceptron simply process log files, they don't make queries. If you mean the score generation run, which finished weeks ago btw, it's possible but super highly unlikely. We only have a handful of people doing a run, and at max any of them are only going to be doing maybe 8 or 10 queries/sec, but much more likely it'd be 2-3 queries/sec. If RBL servers can't handle the massive 30 queries/sec that we'd be putting out, find another RBL. :) -- Randomly Selected Tagline: Has everybody had a cosmic breath? Ok, let's continue. - Susan Vick pgpGYqTZp4CdV.pgp Description: PGP signature
Re: Using Postfix always_bcc for catching messages
On Thu, 2007-03-29 at 16:39 +0300, Henrik Krohns wrote: On Thu, Mar 29, 2007 at 09:25:55AM -0400, Robert Fitzpatrick wrote: I am running Postfix 2.3.5 with SA 3.1.7 and amavisd-new. If I catch a copy of all messages using the Postfix option of always_bcc, will this work when learning those messages? I am wondering if the bcc address being in the header of all those messages will cause any learning issues regarding the address. Use amavisd-new clean_quarantine method, it's more logical way imho. This way you end up with a single mail per file. And you can find messages for learning easily by quarantine ID. More info and scripts by request. :) Got your script, all works perfectly, thanks! My question is how do I know which archived id's to feed to your script to learn as spam, ham, etc? -- Robert
SpamAssassin as a filter, without running a mail server?
Hello, I've read the FAQ, and searched on Google for a couple of days now, but can't seem to find the answer I need. It may be that I'm simply asking the wrong question, or misunderstanding what I read, but hopefully someone here can help me. I've been given the job of adding an Internet Content filter, firewall, and spam filter to a small network in a non-profit organizaiton. Right now there are about 5 email accounts, and their mail server is at their web-host. Is it possible for me to run SpamAssassin as a filter on the firewall box, so that it simply filters email when the user retrieves it from the mail server: RemoteMailServer---[Firewall/Spamfilter/ContentFilter]-User's Machines I have no access to the RemoteMailServer. The [Firewall/Spamfilter/ContentFilter] is a Ubuntu Dapper box running Shorewall and DansGuardian. The user machines are Win2k and WindowsXP. I'd prefer not to mess with the user accounts, if possible, so that we can add new users or change email passwords without playing with the firewall box. With DansGuardian, I forward all http traffic to a specific port, it's filtered by DansGuardian, then forwarded on. Can I do the same thing with SpamAssassin? Forward all inbound smtp traffic through some sort of mail proxy and SA, or am I approaching this completely wrong? Thanks for your help. Chris
Amavis / SA / ClamAV
How many people use an Amavis setup to send messages through SA and possibly ClamAV? Over the past month I have been trying to tweak my setup that has been running Postfix, SA, Cyrus-IMAP, and Sieve for awhile (running Debian), but wanted to add ClamAV to the mix (not sure why I didn't from the start, but oh well). Needless to say, most methods I am finding are using Amavis. My SA setup is working great, so I am not sure if I want to switch it up and have Amavis control everything as far as SA and ClamAV is concerned. This is primarily because I am not familiar with it, but also because my first attempt in using it failed earlier today. I have a relayhost setup that uses TLS, and it was causing problems with Amavis trying to route mail back to Postfix without TLS (or that is what I think the problem was). Just curious as to how many people use Amavis vs simply using SA and/or ClamAV. Jonathan Metts
sa-update too quiet
Could future versions of sa-update please be a little more vocal? Like maybe no new updates found | loaded xxx new updates | error xxx Exit codes are not evident when simply typing sa-update on the command line... -- View this message in context: http://www.nabble.com/sa-update-too-quiet-tf3487700.html#a9738309 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Amavis / SA / ClamAV
On 3/29/07, Jonathan M Metts [EMAIL PROTECTED] wrote: How many people use an Amavis setup to send messages through SA and possibly ClamAV? Over the past month I have been trying to tweak my setup that has been running Postfix, SA, Cyrus-IMAP, and Sieve for awhile (running Debian), but wanted to add ClamAV to the mix (not sure why I didn't from the start, but oh well). Needless to say, most methods I am finding are using Amavis. My SA setup is working great, so I am not sure if I want to switch it up and have Amavis control everything as far as SA and ClamAV is concerned. This is primarily because I am not familiar with it, but also because my first attempt in using it failed earlier today. I have a relayhost setup that uses TLS, and it was causing problems with Amavis trying to route mail back to Postfix without TLS (or that is what I think the problem was). Just curious as to how many people use Amavis vs simply using SA and/or ClamAV. Jonathan Metts amavisd-new is very popular with postfix users - widely used and well supported by the author on the amavis-users mail list. But note well: there are numerous other products with similar names. AFAIK amavisd-new is the only amavis* that is currently maintained and I would suggest not using any other variant. See the amavisd-new web site for a detailed How-to on integrating with postfix. If you have trouble, ask on the amavis-users list - they're a helpful bunch. It's also possible to use amavisd-new only for clamav and keep your existing SA setup if it's working well for you. There are other choices for integrating clamav into your system, notably clamsmtp. amavisd-new http://www.ijs.si/software/amavisd/ clamsmtp http://memberwebs.com/nielsen/software/clamsmtp/ -- Noel Jones
Re: sa-update too quiet
On Thu, Mar 29, 2007 at 10:14:15AM -0700, Craig M wrote: Could future versions of sa-update please be a little more vocal? There's a RFE in bugzilla about mailing a report, perhaps a verbose option, etc. Patches welcome. :) -- Randomly Selected Tagline: The more RAM you have, the better -- M. Chambers pgpJLUaC6CiLx.pgp Description: PGP signature
Re: Who is APEWS.ORG
Marc Perkel wrote: Here's what they have on the /24 block that I'm part of. Systems running abusive Spamdefense on other systems expense. (CR, SAV or similar crap) for running abusive and selfish SAV from there. Are you using (SMTP) Sender Address Verifications? (Or Challenge Response?) If you are, you *will* be blacklisted by some systems and DNSBLs. Probably not only apews (whoever they are). You might see that as filtering, but to the systems (including both spam traps and SMTP servers) you connect to in order to verify falsified senders your system looks and acts like a spammer or dictionary attacker. /Jonas -- Jonas Eckerman, FSDB Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
RE: sa-update too quiet
Could future versions of sa-update please be a little more vocal? Like maybe no new updates found | loaded xxx new updates | error xxx Exit codes are not evident when simply typing sa-update on the command line... I created my own simple batch file for windows. It runs sa-update. Checks the return code. Creates a message (some/no updates). GREP's some basic info from the debug output so you can tell what got updated. And using a perl script, sends the message, report, and debug output to me in e-mail every morning. All this would be easy to do on any OS, I presume since I didn't use any windows-specific tools except for the batch language itself. Here's what the batch file looks like (watch the line wrapping): call sa-update --channelfile sa-update-channels.txt --gpgkey 856AA88A -D 1sa-update-out.txt 2sa-update-dbg.txt if errorlevel 1 goto noupd echo Some rules updated.sa-update-msg.txt goto makelog :noupd echo No updates available.sa-update-msg.txt :makelog echo.sa-update-msg.txt echo Log files attached.sa-update-msg.txt c:\bat\grep -F -f sa-update-grep.txt sa-update-dbg.txt sa-update-log.txt perl sa-update-send.plsa-update-msg.txt - And here's the perl script to send the e-mail: # E-mail notification settings. The download/version log is sent plus # if auto updating, the SA lint stdout and stderr are sent. # E-mail is only sent if there is a newer version of at least one rule file. # Set $mail_host to '' for no notification. my $from_address = '[EMAIL PROTECTED]'; my $to_address = '[EMAIL PROTECTED]'; my $mail_host = 'mail.wcg.org'; my $subject = 'SpamAssassin Rule Updates'; use MIME::Lite; use NET::SMTP; my $message_body = ; while () { $message_body .= $_ } if ($mail_host) { # Notify admins $msg = MIME::Lite-new ( From = $from_address, To = $to_address, Subject = $subject, Type ='multipart/mixed' ) or die Error creating message: $!\n; $msg-attach ( Type = 'TEXT', Data = $message_body ) or die Error adding the text message part: $!\n; $msg-attach ( Type = 'text/plain', Path = sa-update-log.txt, Filename = sa-update-log.txt, Disposition = 'attachment' ) or die Error adding sa-update-log.txt: $!\n; $msg-attach ( Type = 'text/plain', Path = sa-update-dbg.txt, Filename = sa-update-dbg.txt, Disposition = 'attachment' ) or die Error adding sa-update-dbg.txt: $!\n; $msg-attach ( Type = 'text/plain', Path = sa-update-out.txt, Filename = sa-update-out.txt, Disposition = 'attachment' ) or die Error adding sa-update-out.txt: $!\n; MIME::Lite-send('smtp', $mail_host, Timeout=60); $msg-send; } - HTH, Bret
Re: SpamAssassin as a filter, without running a mail server?
On Thu, 29 Mar 2007, Chris Rouffer wrote: I've read the FAQ, and searched on Google for a couple of days now, but can't seem to find the answer I need. It may be that I'm simply asking the wrong question, or misunderstanding what I read, but hopefully someone here can help me. I've been given the job of adding an Internet Content filter, firewall, and spam filter to a small network in a non-profit organizaiton. Right now there are about 5 email accounts, and their mail server is at their web-host. Is it possible for me to run SpamAssassin as a filter on the firewall box, so that it simply filters email when the user retrieves it from the mail server: RemoteMailServer---[Firewall/Spamfilter/ContentFilter]-User's Machines I have no access to the RemoteMailServer. It sounds to me like you have a few options: (1) set up local mail accounts, and feed them off the hosted mailboxes using fetchmail. This would let you shim SA et. al. into the local delivery path. Users would have to reconfigure their POP/IMAP settings to talk to the local mail server so it wouldn't be a change that is *completely* transparent to them. (2) get some sort of POP proxy that allows messages to be filtered by SA (and possibly virus scanned). I don't know if the POP protocol lends itself to refusing to retrieve a message for adminstrative reasons, so that the proxy could retrieve the message and refuse to deliver it to the client if it scores high or is contaminated. Unfortunately I can't recommend any such as I've never had to implement one, but searching on pop proxy or pop3 proxy might help. Somebody else on the list may have direct experience and be able to offer better advice. (3) go whole hog and set up a local MTA and mailbox server that is under your control, and point your domain's MX at it. That lets you do anything you want. Sorry if you've already figured all these options out for yourself... :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- You are in a maze of twisty little protocols, all written by Microsoft. -- 15 days until Thomas Jefferson's 264th Birthday
Re: sa-update too quiet
Bret Miller wrote: Could future versions of sa-update please be a little more vocal? Like maybe no new updates found | loaded xxx new updates | error xxx Exit codes are not evident when simply typing sa-update on the command line... I created my own simple batch file for windows. It runs sa-update. Checks the return code. Creates a message (some/no updates). GREP's some basic info from the debug output so you can tell what got updated. And using a perl script, sends the message, report, and debug output to me in e-mail every morning. All this would be easy to do on any OS, I presume since I didn't use any windows-specific tools except for the batch language itself. Here's what the batch file looks like (watch the line wrapping): call sa-update --channelfile sa-update-channels.txt --gpgkey 856AA88A -D 1sa-update-out.txt 2sa-update-dbg.txt if errorlevel 1 goto noupd echo Some rules updated.sa-update-msg.txt goto makelog :noupd echo No updates available.sa-update-msg.txt :makelog echo.sa-update-msg.txt echo Log files attached.sa-update-msg.txt c:\bat\grep -F -f sa-update-grep.txt sa-update-dbg.txt sa-update-log.txt perl sa-update-send.plsa-update-msg.txt - And here's the perl script to send the e-mail: # E-mail notification settings. The download/version log is sent plus # if auto updating, the SA lint stdout and stderr are sent. # E-mail is only sent if there is a newer version of at least one rule file. # Set $mail_host to '' for no notification. my $from_address = '[EMAIL PROTECTED]'; my $to_address = '[EMAIL PROTECTED]'; my $mail_host = 'mail.wcg.org'; my $subject = 'SpamAssassin Rule Updates'; use MIME::Lite; use NET::SMTP; my $message_body = ; while () { $message_body .= $_ } if ($mail_host) { # Notify admins $msg = MIME::Lite-new ( From = $from_address, To = $to_address, Subject = $subject, Type ='multipart/mixed' ) or die Error creating message: $!\n; $msg-attach ( Type = 'TEXT', Data = $message_body ) or die Error adding the text message part: $!\n; $msg-attach ( Type = 'text/plain', Path = sa-update-log.txt, Filename = sa-update-log.txt, Disposition = 'attachment' ) or die Error adding sa-update-log.txt: $!\n; $msg-attach ( Type = 'text/plain', Path = sa-update-dbg.txt, Filename = sa-update-dbg.txt, Disposition = 'attachment' ) or die Error adding sa-update-dbg.txt: $!\n; $msg-attach ( Type = 'text/plain', Path = sa-update-out.txt, Filename = sa-update-out.txt, Disposition = 'attachment' ) or die Error adding sa-update-out.txt: $!\n; MIME::Lite-send('smtp', $mail_host, Timeout=60); $msg-send; } - HTH, Bret Been using this script in a cron job (in the file /etc/dron.daily/sa-update.cron) for a bit now without any troubles, forget where I got it, might be I even wrote it myself, can't remember... #!/bin/sh # # update spamassassin # sa-update exitcode=$? if [ $exitcode -eq 0 ] then echo Spamassassin rules updated. /etc/init.d/spamassassin restart spamassassin --lint exitcode2=$? if [ $exitcode2 -eq 0 ] then echo Lint passed without error. fi exit fi if [ $exitcode -eq 1 ] then echo Spamassassin update run - no new rules today. exit fi if [ $exitcode -ge 4 ] then echo Spamassassin update exited with error code of $exitcode exit fi #--eof-- -- Steve Lindemann __ Network Administrator //\\ ASCII Ribbon Campaign Marmot Library Network, Inc. \\// against HTML/RTF email, url: http://www.marmot.org //\\ vCards M$ attachments email: mailto:[EMAIL PROTECTED] voice: +1.970.242.3331 ext 16 fax: +1.970.245.7854
Re: Who is APEWS.ORG
On Thu, 29 Mar 2007, Jonas Eckerman wrote: Are you using (SMTP) Sender Address Verifications? You might see that as filtering, but to the systems (including both spam traps and SMTP servers) you connect to in order to verify falsified senders your system looks and acts like a spammer or dictionary attacker. Can anyone recommend a non-abusive way to validate email addresses? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- You are in a maze of twisty little protocols, all written by Microsoft. -- 15 days until Thomas Jefferson's 264th Birthday
Re: Who is APEWS.ORG
John D. Hardin wrote: On Thu, 29 Mar 2007, Jonas Eckerman wrote: Are you using (SMTP) Sender Address Verifications? You might see that as filtering, but to the systems (including both spam traps and SMTP servers) you connect to in order to verify falsified senders your system looks and acts like a spammer or dictionary attacker. Can anyone recommend a non-abusive way to validate email addresses? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- You are in a maze of twisty little protocols, all written by Microsoft. -- 15 days until Thomas Jefferson's 264th Birthday Send an email to [EMAIL PROTECTED], and ask them?
Re: Who is APEWS.ORG
Jonas Eckerman wrote: Are you using (SMTP) Sender Address Verifications? (Or Challenge Response?) If you are, you *will* be blacklisted by some systems and DNSBLs. Probably not only apews (whoever they are). You might see that as filtering, but to the systems (including both spam traps and SMTP servers) you connect to in order to verify falsified senders your system looks and acts like a spammer or dictionary attacker. /Jonas Yes - I am - and I'm going to continue to use it because SAV works very well when done right and it is not abusive. What is abusive is when blocklists that say they are spam related blocklists are used to block for reasons other than spam. SAV is a very effective technology and it is not abusinve and I'm not going to be bullied out of using it.
Sender Address Verification is NOT abouse and very effective
John D. Hardin wrote: Can anyone recommend a non-abusive way to validate email addresses? Yes - Sender Address Verification (SAV) works very well. It is not abusive. Especially the way Exim implements it.
Re: sa-update too quiet
On Thu, 29 Mar 2007, Craig M wrote: Could future versions of sa-update please be a little more vocal? Like maybe no new updates found | loaded xxx new updates | error xxx Exit codes are not evident when simply typing sa-update on the command line... It is the Unix Way for commands to be silent on success. You will understand why when you have hundreds of cronjobs running every night (or every hour, or every minute) and you try to check your email. Any verbosity added to sa-update should be only at the behest of an extra argument. Such preserves the sanity of Unix SAs everywhere. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University Never send mail to [EMAIL PROTECTED]
Re: Dumping and restoring the AWL?
On Thu, Mar 29, 2007 at 12:41:47PM -0700, Adam Harrison wrote: I see I can use sa-learn to dump and restore the Bayes db. Is there an equivalent for the AWL db? There's no SA equivilent. You can use the BerkeleyDB tools though. Look at db_dump and db_recover. -- Randomly Selected Tagline: Remember that the next time when you're using virgin RAM, as opposed to RAM that's been touched. - Pat Beirnes pgptVzGx2CMW6.pgp Description: PGP signature
Re: Sender Address Verification is NOT abouse and very effective
On Thu, 29 Mar 2007, Marc Perkel wrote: John D. Hardin wrote: Can anyone recommend a non-abusive way to validate email addresses? Yes - Sender Address Verification (SAV) works very well. It is not abusive. Especially the way Exim implements it. I am not necessarily speaking of the context of a MTA. Example pulled out of thin air: if you had a corpus and you wanted to check the addresses within it, what would be a polite way to do so? Just open an SMTP connection and see what the far end says to RCPT TO:, but put a tight rate limit on it? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- You are in a maze of twisty little protocols, all written by Microsoft. -- 15 days until Thomas Jefferson's 264th Birthday
Re: Sender Address Verification is NOT abouse and very effective
John D. Hardin wrote: On Thu, 29 Mar 2007, Marc Perkel wrote: John D. Hardin wrote: Can anyone recommend a non-abusive way to validate email addresses? Yes - Sender Address Verification (SAV) works very well. It is not abusive. Especially the way Exim implements it. I am not necessarily speaking of the context of a MTA. Example pulled out of thin air: if you had a corpus and you wanted to check the addresses within it, what would be a polite way to do so? Just open an SMTP connection and see what the far end says to RCPT TO:, but put a tight rate limit on it? Yes - that would work. Don't kit any one server faster than once a second.
Re: Sender Address Verification is NOT abouse and very effective
Marc Perkel wrote: I am not necessarily speaking of the context of a MTA. Example pulled out of thin air: if you had a corpus and you wanted to check the addresses within it, what would be a polite way to do so? Just open an SMTP connection and see what the far end says to RCPT TO:, but put a tight rate limit on it? Yes - that would work. Don't kit any one server faster than once a second. And make a new connection per check. My server will start replying invalid address to everything once 5 invalid attempts with the same connection are made. Just FYI. Regards, Rick
proper whitelist to stop spoofing
Hello: my user_prefs has: whitelist_from [EMAIL PROTECTED] whitelist_from_rcvd [EMAIL PROTECTED] hrndva.rr.com A spammer spoofed my [EMAIL PROTECTED] so the whitelist gave it a -100. my system is: pop/fetchamil-qmail+=+--vpopmail--procmail--maildir | | +-qmail-scanner-+ (spamassassin+clamav) Questions: 1. Is my whitelist correct for making sure only users from workdoamin delivered by hrndva.rr.com are WL'd? 2. Can my system even see hrndva.rr.com from all switching around? 3. What is whitelist_from_rcvd looking at? I tried to send the header, but it keeps getting this message rejected. TIA, Bill
Re: proper whitelist to stop spoofing
On Thu, 29 Mar 2007, Bill McCormick wrote: whitelist_from [EMAIL PROTECTED] Lose that, it is trivially easy to forge. A spammer spoofed my [EMAIL PROTECTED] so the whitelist gave it a -100. See? :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- You are in a maze of twisty little protocols, all written by Microsoft. -- 15 days until Thomas Jefferson's 264th Birthday
Re: Check to see if my server is on Blacklists?
Thanks a bunch EVERYONE who helped me with this! I contacted my host with this. The tech support rep must have been able to get the server removed from psbl because it's not there anymore. And YES it was listed because when I used the link that someone provide for www.robtex.com, it showed up there. The tech has promised that the server will be removed from the SCBL by tomorrow. Don Ireland wrote: Is there some place I can go and see if my email sever is on a blacklist? I just received a msg that it's on at least one--psbl. Thanks. Don Ireland
Re: Sender Address Verification is NOT abouse and very effective
John D. Hardin wrote: On Thu, 29 Mar 2007, Marc Perkel wrote: John D. Hardin wrote: Can anyone recommend a non-abusive way to validate email addresses? Yes - Sender Address Verification (SAV) works very well. It is not abusive. Especially the way Exim implements it. I am not necessarily speaking of the context of a MTA. Example pulled out of thin air: if you had a corpus and you wanted to check the addresses within it, what would be a polite way to do so? Just open an SMTP connection and see what the far end says to RCPT TO:, but put a tight rate limit on it? If someone was doing that to my server, I would consider it an attack, and blacklist them. There is no polite way to do it. It's not polite to take advantage of someone else's resources without their permission. That's exactly what SAV does. SAV is the same thing as TDMA/Challege-Response, only the challenge is to the machine instead of the human. Most of the same arguments apply.
Re: Sender Address Verification is NOT abouse and very effective
John Rudd wrote: John D. Hardin wrote: On Thu, 29 Mar 2007, Marc Perkel wrote: John D. Hardin wrote: Can anyone recommend a non-abusive way to validate email addresses? Yes - Sender Address Verification (SAV) works very well. It is not abusive. Especially the way Exim implements it. I am not necessarily speaking of the context of a MTA. Example pulled out of thin air: if you had a corpus and you wanted to check the addresses within it, what would be a polite way to do so? Just open an SMTP connection and see what the far end says to RCPT TO:, but put a tight rate limit on it? If someone was doing that to my server, I would consider it an attack, and blacklist them. There is no polite way to do it. It's not polite to take advantage of someone else's resources without their permission. That's exactly what SAV does. SAV is the same thing as TDMA/Challege-Response, only the challenge is to the machine instead of the human. Most of the same arguments apply. The question was about a corpus of email. I assume that it means that the email is from multiple sources. So I doubt that someone running it would even be detectable buy anyone else.
RE: proper whitelist to stop spoofing
-Original Message- From: Bill McCormick [mailto:[EMAIL PROTECTED] Sent: Thursday, March 29, 2007 8:51 PM To: users@spamassassin.apache.org Subject: proper whitelist to stop spoofing Hello: my user_prefs has: At least get rid of this one: whitelist_from [EMAIL PROTECTED] whitelist_from_rcvd [EMAIL PROTECTED] hrndva.rr.com A spammer spoofed my [EMAIL PROTECTED] so the whitelist gave it a -100. Smart spammer. How did they know? Was it one of your domains? Or was it your domain? _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: proper whitelist to stop spoofing
Michael Scheidell wrote: -Original Message- From: Bill McCormick [mailto:[EMAIL PROTECTED] Sent: Thursday, March 29, 2007 8:51 PM To: users@spamassassin.apache.org Subject: proper whitelist to stop spoofing Hello: my user_prefs has: At least get rid of this one: whitelist_from [EMAIL PROTECTED] whitelist_from_rcvd [EMAIL PROTECTED] hrndva.rr.com A spammer spoofed my [EMAIL PROTECTED] so the whitelist gave it a -100. Smart spammer. How did they know? Was it one of your domains? Or was it your domain? It was the domain of company where I work. Thanks for all the speedy replies!!
Re: Using Postfix always_bcc for catching messages
On Thu, 2007-03-29 at 18:31 +0300, Henrik Krohns wrote: On Thu, Mar 29, 2007 at 11:22:05AM -0400, Robert Fitzpatrick wrote: Got your script, all works perfectly, thanks! My question is how do I know which archived id's to feed to your script to learn as spam, ham, etc? Actually I'm not sure what your original question is now. If you meant autolearning or such, then the script is wrong ofcourse. My script is for relearning manually false positives or spams. In that case you should already know what to do. :) Yes, trying to come up with an semi-auto learn scheme. I am trying to use cyrus sieve filters to come up with as much ham and spam as possible, hence, trying to bcc a cyrus mailbox. Thanks for the script though, I am sure it is going to come in handy. I believe I'll archive as you suggest, let my sieve filters confirm ham and spam, delete the rest from my mailbox. So, do you think the bcc header will effect learning? That was my original question. -- Robert
Re: sa-update too quiet
On Fri, 30 Mar 2007, Henrik Krohns wrote: On Thu, Mar 29, 2007 at 03:50:52PM -0500, Chris St. Pierre wrote: On Thu, 29 Mar 2007, Craig M wrote: Could future versions of sa-update please be a little more vocal? Like maybe no new updates found | loaded xxx new updates | error xxx Exit codes are not evident when simply typing sa-update on the command line... It is the Unix Way for commands to be silent on success. You will understand why when you have hundreds of cronjobs running every night (or every hour, or every minute) and you try to check your email. I guess I'm stating the obvious, but /dev/null 21 works just fine here. Actually, it doesn't. Dumping all output ensures that you don't see any errors that occur either. A command should be silent on success, noisy on error. I shouldn't have to worry about selectively discarding output in order to keep my inbox sane. (Or my shell scripts quiet, or...) Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University
Re: Who is APEWS.ORG
On Thu, 29 Mar 2007, John D. Hardin wrote: Can anyone recommend a non-abusive *automated* way to validate email addresses? Maybe you should ask the spammers. :) Seriously, though, there are basically two options: VRFY (which many servers have disabled for just this reason); and starting a fake message and checking for recipient errors. Still, a lot of people don't reject mail for bum users, choosing instead to accept the mail and bounce it -- again, for precisely this reason. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University
RFC: learn_spam script
#!/bin/bash #DEBUG=$1 if [ `ls -A /home/bill/Mail/Maildir/.Trash/cur | wc -l` -eq 0 ] then echo -e ** no trash!! **\n else echo -e ** dumping trash **\n for myfile in /home/bill/Mail/Maildir/.Trash/cur/* do grep -s -q X-Spam-Status: Yes $myfile if [ $? -eq 0 ] then echo -e ** report spam **\n razor-report -home=/home/vpopmail/.razor $myfile 21 pyzor --homedir /etc/mail/spamassassin report $myfile 21 fi rm $myfile sleep 10 done fi if [ `ls -A /home/bill/Mail/Maildir/.Junk/cur | wc -l` -eq 0 ] then echo -e ** no spam to learn!! **\n else echo -e ** learning spam ... **\n /usr/local/bin/sa-learn --username=vpopmail --dbpath home/bill/Mail/.spamassassin --prefs-file=/home/bill/Mail/.spamassassin/user_prefs --spam /home/bill/Mail/Maildir/.Junk/cur 21 for myfile in /home/bill/Mail/Maildir/.Junk/cur/* do grep -s -q autolearn=ham $myfile if [ $? -eq 0 ] then echo -e ** un-learning ham for spam **\n sa-learn --forget $myfile 21 fi razor-report -home=/home/vpopmail/.razor $myfile 21 pyzor --homedir /etc/mail/spamassassin report $myfile 21 sleep 10 rm $myfile done fi find /home/bill/Mail/Maildir -regex '.*/cur/.*$' -ctime -1 -exec grep -l autolearn=no {} \;|grep -v \.users\|\.sare-users\|\.Junk /tmp/ham if [ -f /tmp/ham ] then echo -e ** learning ham **\n /usr/local/bin/sa-learn --username=vpopmail --dbpath /home/bill/Mail/.spamassassin --prefs-file=/home/bill/Mail/.spamassassin/user_prefs --ham -f /tmp/ham 21 rm /tmp/ham else echo -e ** hmm ... no ham file in tmp **\n fi chown vpopmail.vchkpw /home/vpopmail/domains/mccormick.ath.cx/bill/.spamassassin/bayes_toks
Re: Sender Address Verification is NOT abouse and very effective
On Thu, 29 Mar 2007, Marc Perkel wrote: The question was about a corpus of email. I assume that it means that the email is from multiple sources. Correct. Assume for the sake of argument that the distribution of domains being checked somewhat reflects the distribution of ISP sizes - for example, there would be more aol.com and hotmail.com addresses than most other domains. Also, duplicates would be collapsed so caching isn't really beneficial. So I doubt that someone running it would even be detectable buy anyone else. Well, yes, but whether or not you get caught does not affect the morality or courtesy of an act... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- You are in a maze of twisty little protocols, all written by Microsoft. -- 15 days until Thomas Jefferson's 264th Birthday
Re: Sender Address Verification is NOT abouse and very effective
Marc Perkel wrote: John Rudd wrote: John D. Hardin wrote: On Thu, 29 Mar 2007, Marc Perkel wrote: John D. Hardin wrote: Can anyone recommend a non-abusive way to validate email addresses? Yes - Sender Address Verification (SAV) works very well. It is not abusive. Especially the way Exim implements it. I am not necessarily speaking of the context of a MTA. Example pulled out of thin air: if you had a corpus and you wanted to check the addresses within it, what would be a polite way to do so? Just open an SMTP connection and see what the far end says to RCPT TO:, but put a tight rate limit on it? If someone was doing that to my server, I would consider it an attack, and blacklist them. There is no polite way to do it. It's not polite to take advantage of someone else's resources without their permission. That's exactly what SAV does. SAV is the same thing as TDMA/Challege-Response, only the challenge is to the machine instead of the human. Most of the same arguments apply. The question was about a corpus of email. I assume that it means that the email is from multiple sources. So I doubt that someone running it would even be detectable buy anyone else. You can't control how many other people are doing the same probe at the same time. It might seem like batching from a corpus makes it better than doing live probes, but the fact is that you don't know, and can't know. All you can control is am I going to probe for TMDA/SAV or not. In a private message, John Hardin suggested that putting TDMA and SAV into the same lump isn't fair. I wont duplicate his email here (since that would be rude), but I will put my response here: Consider the most common anti-TDMA argument: Situation: One real sender address is forged on a couple million spam messages. A significant portion of the planet uses TDMA. TDMA result: innocent forged sender's inbox gets targeted with 100's of thousands to millions of challenges. Their mail server gets flooded, and their inbox get flooded. SAV result: innocent forged sender's server gets targeted with 100's of thousands to millions of challenges. Server gets flooded. In both cases, you're using the resources of someone else, who has not consented to be part of your anti-spam solution, for making your anti-spam decisions. That is absolutely rude, and possibly abusive and destructive, whether you're doing it live or in batches from a corpus. The ONLY way in which SAV is better than TDMA is that it eliminates the innocent end user from the problem. However, it still involves the innocent mail server (and the innocent sysadmin, etc.). If you want to deal with eliminating forgeries, require DK/DKIM. Any resources that impacts upon the forged sender (obtaining their public key) is at least consensual on their part (because they have offered their public key).
Detecting Vulnerable Link
I'm trying to create a rule that will detect a vulnerable link within a message: body BADD_LINK /(?:href|src).*\.(?:bat|chm|dll|exe|lnk|pif|scr)['\s]/i describe BADD_LINK Contains a link to a vulnerable file scoreBADD_LINK 0.1 Something isn't right because tests show nothing is being detected. It could be too, I'm not looking at something right.
Re: Sender Address Verification is NOT abouse and very effective
John D. Hardin wrote: On Thu, 29 Mar 2007, Marc Perkel wrote: The question was about a corpus of email. I assume that it means that the email is from multiple sources. Correct. Assume for the sake of argument that the distribution of domains being checked somewhat reflects the distribution of ISP sizes - for example, there would be more aol.com and hotmail.com addresses than most other domains. Also, duplicates would be collapsed so caching isn't really beneficial. So I doubt that someone running it would even be detectable buy anyone else. Well, yes, but whether or not you get caught does not affect the morality or courtesy of an act... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- You are in a maze of twisty little protocols, all written by Microsoft. -- 15 days until Thomas Jefferson's 264th Birthday I want people to use sender address verification against my servers for the domains I host because if someone is spoofing one of my domains I want it to fail. I welcome it. Because when domains do sender address verification then it makes spammers fail. And if spammers fail they will use someone else's domain - someone who refuses to use SAV. Is if theirs anything that causes collateral damage it's the face that my domains are less spammer friendly that yours are so they will spoof your domains rather than mine.
Re: Sender Address Verification is NOT abouse and very effective
Marc Perkel wrote: I want people to use sender address verification against my servers for the domains I host because if someone is spoofing one of my domains I want it to fail. I welcome it. Because when domains do sender address verification then it makes spammers fail. And if spammers fail they will use someone else's domain - someone who refuses to use SAV. Is if theirs anything that causes collateral damage it's the face that my domains are less spammer friendly that yours are so they will spoof your domains rather than mine. That's just silly, and as a provider of an anti-spam service you should know that. SAV is a lousy anti-forgery mechanism, primarily because it isn't an anti-forgery mechanism. At best it's a somebody might legitimately use this address but I have no idea if it's being forged in this instance mechanism. SAV doesn't make spammers fail, it merely requires them to use a valid address, and guess what, they've got billions of valid addresses at their disposal. If you're concerned about, and want to prevent, your domains being abused then sign your mail or use another mechanism that allows all involved parties to agree upon a mechanism that requires more than DNS queries against an unknown/unwilling party. If you wish to continue using SAV, and going by past statements of it works for my customers so I'm going to continue to do it I assume you will continue, then *please* stop complaining here every time you get blacklisted. If you must, though, perhaps SPAM-L would be a more appropriate venue. Daryl
Re: Sender Address Verification is NOT abouse and very effective
Daryl C. W. O'Shea wrote: Marc Perkel wrote: I want people to use sender address verification against my servers for the domains I host because if someone is spoofing one of my domains I want it to fail. I welcome it. Because when domains do sender address verification then it makes spammers fail. And if spammers fail they will use someone else's domain - someone who refuses to use SAV. Is if theirs anything that causes collateral damage it's the face that my domains are less spammer friendly that yours are so they will spoof your domains rather than mine. That's just silly, and as a provider of an anti-spam service you should know that. SAV is a lousy anti-forgery mechanism, primarily because it isn't an anti-forgery mechanism. At best it's a somebody might legitimately use this address but I have no idea if it's being forged in this instance mechanism. SAV doesn't make spammers fail, it merely requires them to use a valid address, and guess what, they've got billions of valid addresses at their disposal. If you're concerned about, and want to prevent, your domains being abused then sign your mail or use another mechanism that allows all involved parties to agree upon a mechanism that requires more than DNS queries against an unknown/unwilling party. If you wish to continue using SAV, and going by past statements of it works for my customers so I'm going to continue to do it I assume you will continue, then *please* stop complaining here every time you get blacklisted. If you must, though, perhaps SPAM-L would be a more appropriate venue. I don't understand why you think SAV is a louse anti-forgery tool. It forces spammers to have to find real email addresses to forge. Domains that I host are rarely spoofed because when other hosts use SAV I welcome that and verify which email addresses are bad and the spam is rejected at connect time. When I use SAV I don't have to run those messages through spam assassin because I already know they are spam. So don't tell me that it doesn't work because I know for a fact that it does. I WANT people to verify against my servers. I WELCOME it because spammers blacklist ME. As to people blacklisting me - I am quite capable of effectively evening the score. Those who black list me are a buch of cowards who hide and create anonymous black lists to try to bully people into what they want us to do. But these people have left a trail that I'm reconstructing and I'm going to out them and it's going to be a very public outing. So I don't just complain when I get blacklisted. I fix the problem.
Re: SpamAssassin as a filter, without running a mail server?
On Thursday 29 March 2007 12:03, Chris Rouffer wrote: I've been given the job of adding an Internet Content filter, firewall, and spam filter to a small network in a non-profit organizaiton. Right now there are about 5 email accounts, and their mail server is at their web-host. Is it possible for me to run SpamAssassin as a filter on the firewall box, so that it simply filters email when the user retrieves it from the mail server: I'd start with IPCop for the firewall. http://www.ipcop.org Then I'd add CopPlus (which is Dan's Guardian packaged for IPCop). http://home.earthlink.net/~copplus/ Then I'd add CopFilter to finish it off. http://www.copfilter.org That would get you a nice appliance that has all the administration controls available via web pages. An alternative to CopFilter would be to build a second box and build up a MailScanner box for the email. For a small place, that would probably be overkill. For a large outfit, I'd probably go that route and split mail scanning off from the firewall. I have a recipe for a MailScanner box here: http://www.leap-cf.org/presentations/MailScanner/ I believe that ClarkConnect can also do all the things you mention, but I think you have to purchase some of the modules. -- Ballmer is basically saying: We know there's a problem but we're not going to tell you what it is because we want to ambush you in the future.
Re: Sender Address Verification is NOT abouse and very effective
Marc Perkel wrote: I don't understand why you think SAV is a louse anti-forgery tool. It forces spammers to have to find real email addresses to forge. Domains that I host are rarely spoofed because when other hosts use SAV I welcome that and verify which email addresses are bad and the spam is rejected at connect time. When I use SAV I don't have to run those messages through spam assassin because I already know they are spam. So don't tell me that it doesn't work because I know for a fact that it does. I WANT people to verify against my servers. I WELCOME it because spammers blacklist ME. As to people blacklisting me - I am quite capable of effectively evening the score. Those who black list me are a buch of cowards who hide and create anonymous black lists to try to bully people into what they want us to do. But these people have left a trail that I'm reconstructing and I'm going to out them and it's going to be a very public outing. So I don't just complain when I get blacklisted. I fix the problem. I maintain various mail servers for ISP's and private companies around the world. Probably 2-3 million users in total. If your server is using SAV against any of our servers in excess of 500 or so invalid recipients per day, you are most likely on our internal blacklist. We don't know if you are using SAV, TMDA or are just a clueless admin who bounces after accepting. Seeing as how we get over a million bounces after accepting from various clueless admins around the globe you might see how were adverse to any type of sender verification. You might welcome it but we can't tell the difference. If you're servers end up on blacklists because of it, don't complain. You made your own bed and now you have to lay in it. Regards, Rick
Re: Sender Address Verification is NOT abouse and very effective
Rick Macdougall wrote: Marc Perkel wrote: I don't understand why you think SAV is a louse anti-forgery tool. It forces spammers to have to find real email addresses to forge. Domains that I host are rarely spoofed because when other hosts use SAV I welcome that and verify which email addresses are bad and the spam is rejected at connect time. When I use SAV I don't have to run those messages through spam assassin because I already know they are spam. So don't tell me that it doesn't work because I know for a fact that it does. I WANT people to verify against my servers. I WELCOME it because spammers blacklist ME. As to people blacklisting me - I am quite capable of effectively evening the score. Those who black list me are a buch of cowards who hide and create anonymous black lists to try to bully people into what they want us to do. But these people have left a trail that I'm reconstructing and I'm going to out them and it's going to be a very public outing. So I don't just complain when I get blacklisted. I fix the problem. I maintain various mail servers for ISP's and private companies around the world. Probably 2-3 million users in total. If your server is using SAV against any of our servers in excess of 500 or so invalid recipients per day, you are most likely on our internal blacklist. We don't know if you are using SAV, TMDA or are just a clueless admin who bounces after accepting. Seeing as how we get over a million bounces after accepting from various clueless admins around the globe you might see how were adverse to any type of sender verification. You might welcome it but we can't tell the difference. If you're servers end up on blacklists because of it, don't complain. You made your own bed and now you have to lay in it. Regards, Rick I wouldn't be on your black list unless you manually added me to it.
Re: Sender Address Verification is NOT abouse and very effective
Rick Macdougall wrote: Same difference to me, you get blocked. My servers are busy enough as it is (just as an example, one incoming SMTP server out of 4 with one client has consistent 80 connections per second, an average 500 connections active at any given tine, the majority, over 80%, bounces or SAV checks). So guess what? I'm going to block those servers until they smarten up. The reason you get so many bounces is that your servers are SAV hostile. If someone spoofs your domain then you're going to get SAV connection if you allow it or bounce connections if you don't. And the number of bounces is going to be a lot higher than the SAV requests because spammers like domains where the recipient host gives no information about if the account is valid or not.
Re: Sender Address Verification is NOT abouse and very effective
Marc Perkel wrote: Rick Macdougall wrote: Same difference to me, you get blocked. My servers are busy enough as it is (just as an example, one incoming SMTP server out of 4 with one client has consistent 80 connections per second, an average 500 connections active at any given tine, the majority, over 80%, bounces or SAV checks). So guess what? I'm going to block those servers until they smarten up. The reason you get so many bounces is that your servers are SAV hostile. If someone spoofs your domain then you're going to get SAV connection if you allow it or bounce connections if you don't. And the number of bounces is going to be a lot higher than the SAV requests because spammers like domains where the recipient host gives no information about if the account is valid or not. Uhhh, no. We don't bounce. Anyone who bounces is an asshat. We reject 551 at the smtp level for spam above a certain score and for user unknown. We aren't anti-SAV per say, we are anti-usernamechecking, we will return a User Unknown after 5 similar unsuccessful requests during the same smtp connection. Think logically about it. Regards, Rick
Re: Sender Address Verification is NOT abouse and very effective
Rick Macdougall wrote: Marc Perkel wrote: The reason you get so many bounces is that your servers are SAV hostile. If someone spoofs your domain then you're going to get SAV connection if you allow it or bounce connections if you don't. And the number of bounces is going to be a lot higher than the SAV requests because spammers like domains where the recipient host gives no information about if the account is valid or not. Uhhh, no. We don't bounce. Anyone who bounces is an asshat. +1 If Marc is bouncing spams, even when domains who refuse to play the SAV game are involved, he's being even more abusive than I had thought. Daryl
Re: Sender Address Verification is NOT abouse and very effective
Marc Perkel wrote: Derek Harding wrote: Marc Perkel wrote: I don't understand why you think SAV is a louse anti-forgery tool. It forces spammers to have to find real email addresses to forge. So here's a little thought experiment for you. As you know more and more spam is sent by botnets from compromised machines. Those bots know a range of valid addresses because they're pulling them out of addressbooks on the local machines (they're also sending to those same addresses btw). So - let's say you don't use SAV. You accept the message not knowing that it's from a fake address. Then you have to spam filter it. If if fails, it creates a bounce. No. You do your spam filtering during the SMTP session, using a milter or something similar. If it scores as spam, then you reject it during SMTP. So, no, it doesn't create a bounce. Only an idiot would bounce a message for being spam.
Re: Sender Address Verification is NOT abouse and very effective
John Rudd wrote: Marc Perkel wrote: Derek Harding wrote: Marc Perkel wrote: I don't understand why you think SAV is a louse anti-forgery tool. It forces spammers to have to find real email addresses to forge. So here's a little thought experiment for you. As you know more and more spam is sent by botnets from compromised machines. Those bots know a range of valid addresses because they're pulling them out of addressbooks on the local machines (they're also sending to those same addresses btw). So - let's say you don't use SAV. You accept the message not knowing that it's from a fake address. Then you have to spam filter it. If if fails, it creates a bounce. No. You do your spam filtering during the SMTP session, using a milter or something similar. If it scores as spam, then you reject it during SMTP. So, no, it doesn't create a bounce. Only an idiot would bounce a message for being spam. Or if you are using something that doesn't easily support prefiltering then you can deliver with spam markup. Do not ever bounce! Ever! I can not stress this enough. blah. Night folks! Rick
Re: Sender Address Verification is NOT abouse and very effective
Marc Perkel wrote: Daryl C. W. O'Shea wrote: SAV is a lousy anti-forgery mechanism, primarily because it isn't an anti-forgery mechanism. At best it's a somebody might legitimately use this address but I have no idea if it's being forged in this instance mechanism. SAV doesn't make spammers fail, it merely requires them to use a valid address, and guess what, they've got billions of valid addresses at their disposal. I don't understand why you think SAV is a louse anti-forgery tool. I guess you missed the second half of that sentence then. SAV cannot tell you that an address was not forged. At best it can tell you that the address doesn't exist and it probably was sent by a third party. If you want to call this a forgery (how you forge something that doesn't exist to begin with, I'm not sure) go for it. It forces spammers to have to find real email addresses to forge. Forcing spammers to forge an address is considered anti-forgery? Now I'm confused. Domains that I host are rarely spoofed because when other hosts use SAV I welcome that and verify which email addresses are bad and the spam is rejected at connect time. When I use SAV I don't have to run those messages through spam assassin because I already know they are spam. So don't tell me that it doesn't work because I know for a fact that it does. OK, I won't tell you it doesn't work, and I didn't before either. I'm simple suggesting that it's abusive and selfish. I WANT people to verify against my servers. I WELCOME it because spammers blacklist ME. As to people blacklisting me - I am quite capable of effectively evening the score. Those who black list me are a buch of cowards who hide and create anonymous black lists to try to bully people into what they want us to do. But these people have left a trail that I'm reconstructing and I'm going to out them and it's going to be a very public outing. So I don't just complain when I get blacklisted. I fix the problem. If you want to waste your time on that go for it. I'd be really surprised if you aren't currently, or have in the past, you yourself used blacklists operated by anonymous cowards though. Daryl