RE: Big trouble

2007-03-29 Thread Rocco Scappatura
 There is another discussion on this list about rules that 
 catch these sorts of messages.  Check that out for ideas.
 
 For what it is worth these are the rules I get:
 
 Content analysis details:   (10.5 points, 5.0 required)
 
   pts rule name  description
  --
 --
   2.9 FROM_LOCAL_NOVOWEL From: localpart has series of 
 non-vowel letters
   0.1 FORGED_RCVD_HELO   Received: contains a forged HELO
   0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain 
 signs some 
 mails
   0.6 J_CHICKENPOX_14BODY: 1alpha-pock-4alpha
   3.5 BAYES_99   BODY: Bayesian spam probability 
 is 99 to 100%
  [score: 1.]
   2.4 RCVD_IN_WHOIS_BOGONS   RBL: CompleteWhois: sender on 
 bogons IP block
 [102.176.29.76 listed in
 combined-HIB.dnsiplists.completewhois.com]
   1.0 RCVD_IN_JANET_RBL  RBL: Relay in JANET MAPS RBL+ RBL
[102.176.29.76 listed in 
 rbl-plus.mail-abuse.ja.net]
   0.0 MSGID_FROM_MTA_HEADER  Message-Id was added by a relay

I get:

 pts rule name  description
 --
--
 2.9 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel
letters
 0.1 TW_GD  BODY: Odd Letter Triples with GD
 0.1 TW_LG  BODY: Odd Letter Triples with LG
-0.2 BAYES_40   BODY: Bayesian spam probability is 20 to 40%
[score: 0.3955]
 2.4 RCVD_IN_WHOIS_BOGONS   RBL: CompleteWhois: sender on bogons IP
block
   [102.176.29.76 listed in
combined-HIB.dnsiplists.completewhois.com]
 0.0 MSGID_FROM_MTA_HEADER  Message-Id was added by a relay
 0.6 AWLAWL: From: address is in the auto white-list

But only after some hours that I have received the messages..

I suppose that at that time the score assigned by your SA was lower than
you just report above.. (maybe at that time, the IP 102.176.29.76 was
not-DNSBListed ).

Anyway, I figure out that your SA use different rulesets of mine..

Could you instruct me about a good set of ruleset I have to use to lower
the chance that spam pass trhough my spam-scanner, maintaining a good
level of performance?

TIA,

rocsca


RE: Big trouble

2007-03-29 Thread Rocco Scappatura
2.4 RCVD_IN_WHOIS_BOGONS   RBL: CompleteWhois: sender on 
 bogons IP block
  [102.176.29.76 listed in 
  combined-HIB.dnsiplists.completewhois.com]
 
 I wonder why score for RCVD_IN_WHOIS_BOGONS is 0 in 3.2.0-rc1 ?
 (unlike RCVD_IN_WHOIS_INVALID and RCVD_IN_WHOIS_HIJACKED, 
 which are nonzero)
 
 rules/50_scores.cf :
   score RCVD_IN_WHOIS_BOGONS 0 # n=0 n=1 n=2 n=3

I don't understand.. maybe my remark is wrong, but I get this score for
the rules above:

 2.4 RCVD_IN_WHOIS_BOGONS   RBL: CompleteWhois: sender on bogons IP
block
   [102.176.29.76 listed in
combined-HIB.dnsiplists.completewhois.com]

Anyway, what implies you that the score for RCVD_IN_WHOIS_BOGONS is 0?

rocsca



Re: Big trouble

2007-03-29 Thread Anthony Peacock

Hi,

Rocco Scappatura wrote:
There is another discussion on this list about rules that 
catch these sorts of messages.  Check that out for ideas.


For what it is worth these are the rules I get:

Content analysis details:   (10.5 points, 5.0 required)

  pts rule name  description
 --
--
  2.9 FROM_LOCAL_NOVOWEL From: localpart has series of 
non-vowel letters

  0.1 FORGED_RCVD_HELO   Received: contains a forged HELO
  0.0 DK_POLICY_SIGNSOME Domain Keys: policy says domain 
signs some 
mails

  0.6 J_CHICKENPOX_14BODY: 1alpha-pock-4alpha
  3.5 BAYES_99   BODY: Bayesian spam probability 
is 99 to 100%

 [score: 1.]
  2.4 RCVD_IN_WHOIS_BOGONS   RBL: CompleteWhois: sender on 
bogons IP block

[102.176.29.76 listed in
combined-HIB.dnsiplists.completewhois.com]
  1.0 RCVD_IN_JANET_RBL  RBL: Relay in JANET MAPS RBL+ RBL
   [102.176.29.76 listed in 
rbl-plus.mail-abuse.ja.net]

  0.0 MSGID_FROM_MTA_HEADER  Message-Id was added by a relay


I get:

 pts rule name  description
 --
--
 2.9 FROM_LOCAL_NOVOWEL From: localpart has series of non-vowel
letters
 0.1 TW_GD  BODY: Odd Letter Triples with GD
 0.1 TW_LG  BODY: Odd Letter Triples with LG
-0.2 BAYES_40   BODY: Bayesian spam probability is 20 to 40%
[score: 0.3955]
 2.4 RCVD_IN_WHOIS_BOGONS   RBL: CompleteWhois: sender on bogons IP
block
   [102.176.29.76 listed in
combined-HIB.dnsiplists.completewhois.com]
 0.0 MSGID_FROM_MTA_HEADER  Message-Id was added by a relay
 0.6 AWLAWL: From: address is in the auto white-list

But only after some hours that I have received the messages..

I suppose that at that time the score assigned by your SA was lower than
you just report above.. (maybe at that time, the IP 102.176.29.76 was
not-DNSBListed ).

Anyway, I figure out that your SA use different rulesets of mine..

Could you instruct me about a good set of ruleset I have to use to lower
the chance that spam pass trhough my spam-scanner, maintaining a good
level of performance?


The biggest difference is that my Bayes system scored it as BAYES_99 
which adds 3.5 points, and your Bayes system scored it as BAYES_40 which 
subtracted 0.2 points.


I did get a few of those emails come through at the start, but by 
feeding them into my Bayes system they now get caught.


--
Anthony Peacock
CHIME, Royal Free  University College Medical School
WWW:http://www.chime.ucl.ac.uk/~rmhiajp/
If you have an apple and I have  an apple and we  exchange apples
then you and I will still each have  one apple. But  if you have an
idea and I have an idea and we exchange these ideas, then each of us
will have two ideas. -- George Bernard Shaw


Re: KAUF-TIPP DER WOCHE spam getting through

2007-03-29 Thread Panagiotis Christias

On 3/28/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:

On Wed, 28 Mar 2007, Panagiotis Christias wrote:

 the last days we get a lot of spam like this:

 KAUF-TIPP DER WOCHE

I wrote a few of my own rules especially to catch those stocks scams
together with bayes. If you don't have any people who should write you in
German you can also use the X-Languages tag to boost the score if the mail
is written in German.

Here are my current rules, which should also catch the German stocks.
Maybe there are some false positives in a real stock environment, but for
me they work fine:

body  __HILO_STOCKS1  /(High|Low|Curr[e3]nt|Cur(r|\r.|r[e3]nt|\.)\
P(ric[e3])?|Pric[e3]|Last)[\:\ \t]+\$[\d\
]+?(.*)(Last|Low|Growth|Grow||High|Sale|Pric[e3]|Vol|[E3]xp)[\:\ \t]+/i
body  __HILO_STOCKS2  /curr[e3]n[t7](ly)?[\ \t\_]+?\:[\ \t\_\$]+?\d/i
body  __HILO_STOCKS2  /[e3](x|ks)p[e3]ct[e3]d?[\ \t\_]+?\:[\
\t\_\$]+?\d/i
body  __HILO_STOCKS3  /our[\ \t\_]+?(last[\ ]+?)?pick[\:\
\t\_\;\=\,]/i
body  __HILO_STOCKS4  /\d[\
\t\_]+?(c[e3]nt|dollar|[e3]ur|p[e3]nc[e3])/i
body  __HILO_STOCKS5  /(c[e3]nt|dollar|[e3]ur[o]?|p[e3]nc[e3])[\
\t\_]+?\d/ibody  __HILO_STOCKS9  /(hot[\
\t\_]+?list|r[e3]cord|publicity\ |n[e3]ws\
|invest|incr[e3]as[e3]|[e3]xplosion|high\
|pr[e3]mium|mark[e3]t|al[e3]rt|sym[b8]ol|the\ rush|your\ radar|g[e3]t\
[i1]n|schluss\-?stand|prognose|kauf\-?tip)/i

meta  HILO_STOCKS ( ( __HILO_STOCKS1 || __HILO_STOCKS2 ||
__HILO_STOCKS3 || __HILO_STOCKS4 || __HILO_STOCKS5 )  __HILO_STOCKS9 )
describe  HILO_STOCKS Looks like stocks scam
score HILO_STOCKS 3.0





my custom rule is just:

# KAUF_TIPP custom rule - christia Wed Mar 28 11:51:05 EEST 2007
body KAUF_TIPP  /^KAUF-TIPP DER WOCHE$/
describe KAUF_TIPP  German pump and dump stock spam with extremely
low scores
score KAUF_TIPP 4.0

a bit rough may be..


Re: Big trouble

2007-03-29 Thread Mark Martinec
Rocco,

 2.4 RCVD_IN_WHOIS_BOGONS   RBL: CompleteWhois: sender on
  I wonder why score for RCVD_IN_WHOIS_BOGONS is 0 in 3.2.0-rc1 ?

 I don't understand.. maybe my remark is wrong,
 but I [do] get this score for the rules above

I said '3.2.0-rc1', didn't I?

Btw, I got 1800 messages hitting RCVD_IN_WHOIS_BOGONS in the
last 24 hours since I re-enabled the rule. (like 50.30.64.209,
180.48.158.64, 94.130.200.203, ...);  6 of these were possibly
false positives (unconfirmed, half of them from the same mailing list).

Could it be that the combined-HIB.dnsiplists.completewhois.com
chokes under the load of a GA/perceptron run and stops responding?
I've seen it unresponsive yesterday for about half an hour.

  Mark


RE: whitelist and blacklist problem

2007-03-29 Thread lalit

Hi,

I  have three servers and all have same problem. i have sent you example of
the different servers so that the version diffrence occurs.

Thanks
 

Fabien GARZIANO wrote:
 
  
 Hi,
 
 I don't know the answer to your question. But something looks weird in
 your example : 
 
 Case 1 : version=3.1.8
 Case 2 : version=3.0.5
 
 Are you using the same SA setup for both cases ? 
 
 I Hope it helps.
 
 
 -Message d'origine-
 De : lalit [mailto:[EMAIL PROTECTED] 
 Envoyé : jeudi 29 mars 2007 09:52
 À : users@spamassassin.apache.org
 Objet : whitelist and blacklist problem
 
 
 i have configure spamassassin with mysql. now it fetch 
 whitelist and blacklist data from userpref table. but mail 
 detect as spam in both cases either user in whitelist  or in 
 blacklist. and spam report shows that user in blacklist and 
 user in whitelist case 1 when user in whitelist
 X-Spam-Status: No, score=0.5 required=5.0 tests=AWL,HTML_MESSAGE,
  MIME_HTML_MOSTLY,USER_IN_BLACKLIST,USER_IN_WHITELIST autolearn=no
  version=3.1.8
 
 case 2 when user in blacklist or not in whitelist it gives 
 correct report
 
 X-Spam-Status: Yes, score=100.8 required=5.0 tests=AWL,HTML_90_100,
  HTML_MESSAGE,NO_DNS_FOR_FROM,USER_IN_BLACKLIST autolearn=no
  version=3.0.5
 X-Spam-Report:
  * 100 USER_IN_BLACKLIST From: address is in the user's black-list
  * 0.2 HTML_90_100 BODY: Message is 90% to 100% HTML
  * 0.0 HTML_MESSAGE BODY: HTML included in message
  * 1.1 NO_DNS_FOR_FROM DNS: Envelope sender has no MX or 
 A DNS records
  * -0.5 AWL AWL: From: address is in the auto white-list
 
 how can i fix it ? what is the cause of the problem?
 
 --
 View this message in context: 
 http://www.nabble.com/whitelist-and-blacklist-problem-tf348490
 0.html#a9728558
 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
 
 
 
 

-- 
View this message in context: 
http://www.nabble.com/whitelist-and-blacklist-problem-tf3484900.html#a9730957
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.



Re: Big trouble

2007-03-29 Thread Justin Mason

Mark Martinec writes:
 Rocco,
 
  2.4 RCVD_IN_WHOIS_BOGONS   RBL: CompleteWhois: sender on
   I wonder why score for RCVD_IN_WHOIS_BOGONS is 0 in 3.2.0-rc1 ?
 
  I don't understand.. maybe my remark is wrong,
  but I [do] get this score for the rules above
 
 I said '3.2.0-rc1', didn't I?
 
 Btw, I got 1800 messages hitting RCVD_IN_WHOIS_BOGONS in the
 last 24 hours since I re-enabled the rule. (like 50.30.64.209,
 180.48.158.64, 94.130.200.203, ...);  6 of these were possibly
 false positives (unconfirmed, half of them from the same mailing list).

Yeah, there's a bug in the bz reporting that some big company uses bogon
space internally, instead of the 10.x or 192.168.x networks, and that
this escapes via the Received headers causing FPs

 Could it be that the combined-HIB.dnsiplists.completewhois.com
 chokes under the load of a GA/perceptron run and stops responding?
 I've seen it unresponsive yesterday for about half an hour.

odd. I guess that's a possibility... :(

--j.


Re: /etc/spamassassin or /var/lib/spamassassin?

2007-03-29 Thread Mark Adams
Hi,

I have changed my reporting so it provides more information, and run
--test-mode with a message marked as spam, that should be whitelisted

whitelist.cf contents:

whitelist_from [EMAIL PROTECTED]

when running spamassassin -D --lint, I see the following line

[18351] dbg: config: read file /etc/spamassassin/whitelist.cf

But when running test mode I still do not get any reports on it being
hit by the whitelist.

Help!

On Wed, Mar 28, 2007 at 03:51:43PM +0100, Mark Adams wrote:
 On Thu, Mar 22, 2007 at 04:40:27PM -0400, Bowie Bailey wrote:
  Mark Adams wrote:
   On Fri, Mar 02, 2007 at 10:06:51AM -0500, Bowie Bailey wrote:
Is it scoring the whitelist lower or is it just not hitting?

Can you post your whitelist rule and the headers from an example
message?
  
  And why do you think this message should have hit the whitelist?  Show
  me the From line in the email.
 Hi, Header excerpt below. Once again help appreciated.
 
 From: Guy Graham [EMAIL PROTECTED]
 X-Spam-Score: 40
 X-Spam-Report: hits=4.0 required=5.0 test=NO_RDNS,VOWEL_FROM_7
 X-Original-Recipient: [EMAIL PROTECTED]
 


Re: /etc/spamassassin or /var/lib/spamassassin?

2007-03-29 Thread Anthony Peacock

Hi,

I would think we need to see the FULL headers of this example email 
before anyone can comment.


Mark Adams wrote:

Hi,

I have changed my reporting so it provides more information, and run
--test-mode with a message marked as spam, that should be whitelisted

whitelist.cf contents:

whitelist_from [EMAIL PROTECTED]

when running spamassassin -D --lint, I see the following line

[18351] dbg: config: read file /etc/spamassassin/whitelist.cf

But when running test mode I still do not get any reports on it being
hit by the whitelist.

Help!

On Wed, Mar 28, 2007 at 03:51:43PM +0100, Mark Adams wrote:

On Thu, Mar 22, 2007 at 04:40:27PM -0400, Bowie Bailey wrote:

Mark Adams wrote:

On Fri, Mar 02, 2007 at 10:06:51AM -0500, Bowie Bailey wrote:

Is it scoring the whitelist lower or is it just not hitting?

Can you post your whitelist rule and the headers from an example
message?

And why do you think this message should have hit the whitelist?  Show
me the From line in the email.

Hi, Header excerpt below. Once again help appreciated.

From: Guy Graham [EMAIL PROTECTED]
X-Spam-Score: 40
X-Spam-Report: hits=4.0 required=5.0 test=NO_RDNS,VOWEL_FROM_7
X-Original-Recipient: [EMAIL PROTECTED]







--
Anthony Peacock
CHIME, Royal Free  University College Medical School
WWW:http://www.chime.ucl.ac.uk/~rmhiajp/
If you have an apple and I have  an apple and we  exchange apples
then you and I will still each have  one apple. But  if you have an
idea and I have an idea and we exchange these ideas, then each of us
will have two ideas. -- George Bernard Shaw


Using Postfix always_bcc for catching messages

2007-03-29 Thread Robert Fitzpatrick
I am running Postfix 2.3.5 with SA 3.1.7 and amavisd-new. If I catch a
copy of all messages using the Postfix option of always_bcc, will this
work when learning those messages? I am wondering if the bcc address
being in the header of all those messages will cause any learning issues
regarding the address.

-- 
Robert



Re: /etc/spamassassin or /var/lib/spamassassin?

2007-03-29 Thread Mark Adams
Thanks for you reply.

Why would this make any difference?

The headers checked for whitelist addresses are as follows: if
Resent-From is set, use that; otherwise check all addresses taken from
the following set of headers:

Envelope-Sender
Resent-Sender 
X-Envelope-From
From


The only header that matches is From: which is the header I posted
below.

It seems as if it is not reading the whitelist_from entries at all. Or
whitelisting is somehow disabled, is that possible?

On Thu, Mar 29, 2007 at 02:19:06PM +0100, Anthony Peacock wrote:
 Hi,
 
 I would think we need to see the FULL headers of this example email 
 before anyone can comment.
 
 Mark Adams wrote:
 Hi,
 
 I have changed my reporting so it provides more information, and run
 --test-mode with a message marked as spam, that should be whitelisted
 
 whitelist.cf contents:
 
 whitelist_from [EMAIL PROTECTED]
 
 when running spamassassin -D --lint, I see the following line
 
 [18351] dbg: config: read file /etc/spamassassin/whitelist.cf
 
 But when running test mode I still do not get any reports on it being
 hit by the whitelist.
 
 Help!
 
 On Wed, Mar 28, 2007 at 03:51:43PM +0100, Mark Adams wrote:
 On Thu, Mar 22, 2007 at 04:40:27PM -0400, Bowie Bailey wrote:
 Mark Adams wrote:
 On Fri, Mar 02, 2007 at 10:06:51AM -0500, Bowie Bailey wrote:
 Is it scoring the whitelist lower or is it just not hitting?
 
 Can you post your whitelist rule and the headers from an example
 message?
 And why do you think this message should have hit the whitelist?  Show
 me the From line in the email.
 Hi, Header excerpt below. Once again help appreciated.
 
 From: Guy Graham [EMAIL PROTECTED]
 X-Spam-Score: 40
 X-Spam-Report: hits=4.0 required=5.0 test=NO_RDNS,VOWEL_FROM_7
 X-Original-Recipient: [EMAIL PROTECTED]
 
 
 
 
 
 -- 
 Anthony Peacock
 CHIME, Royal Free  University College Medical School
 WWW:http://www.chime.ucl.ac.uk/~rmhiajp/
 If you have an apple and I have  an apple and we  exchange apples
 then you and I will still each have  one apple. But  if you have an
 idea and I have an idea and we exchange these ideas, then each of us
 will have two ideas. -- George Bernard Shaw


Re: /etc/spamassassin or /var/lib/spamassassin?

2007-03-29 Thread Anthony Peacock

Hi,

Because, more often than not, the reason that whitelisting is not 
matching is that the headers you think are matching are not.  Or there 
is a type in the whitelist.cf file.


By not allowing us to see the entire header, you are making us guess.

Mark Adams wrote:

Thanks for you reply.

Why would this make any difference?

The headers checked for whitelist addresses are as follows: if
Resent-From is set, use that; otherwise check all addresses taken from
the following set of headers:

Envelope-Sender
Resent-Sender 
X-Envelope-From

From


The only header that matches is From: which is the header I posted
below.

It seems as if it is not reading the whitelist_from entries at all. Or
whitelisting is somehow disabled, is that possible?

On Thu, Mar 29, 2007 at 02:19:06PM +0100, Anthony Peacock wrote:

Hi,

I would think we need to see the FULL headers of this example email 
before anyone can comment.


Mark Adams wrote:

Hi,

I have changed my reporting so it provides more information, and run
--test-mode with a message marked as spam, that should be whitelisted

whitelist.cf contents:

whitelist_from [EMAIL PROTECTED]

when running spamassassin -D --lint, I see the following line

[18351] dbg: config: read file /etc/spamassassin/whitelist.cf

But when running test mode I still do not get any reports on it being
hit by the whitelist.

Help!

On Wed, Mar 28, 2007 at 03:51:43PM +0100, Mark Adams wrote:

On Thu, Mar 22, 2007 at 04:40:27PM -0400, Bowie Bailey wrote:

Mark Adams wrote:

On Fri, Mar 02, 2007 at 10:06:51AM -0500, Bowie Bailey wrote:

Is it scoring the whitelist lower or is it just not hitting?

Can you post your whitelist rule and the headers from an example
message?

And why do you think this message should have hit the whitelist?  Show
me the From line in the email.

Hi, Header excerpt below. Once again help appreciated.

From: Guy Graham [EMAIL PROTECTED]
X-Spam-Score: 40
X-Spam-Report: hits=4.0 required=5.0 test=NO_RDNS,VOWEL_FROM_7
X-Original-Recipient: [EMAIL PROTECTED]





--
Anthony Peacock
CHIME, Royal Free  University College Medical School
WWW:http://www.chime.ucl.ac.uk/~rmhiajp/
If you have an apple and I have  an apple and we  exchange apples
then you and I will still each have  one apple. But  if you have an
idea and I have an idea and we exchange these ideas, then each of us
will have two ideas. -- George Bernard Shaw






--
Anthony Peacock
CHIME, Royal Free  University College Medical School
WWW:http://www.chime.ucl.ac.uk/~rmhiajp/
If you have an apple and I have  an apple and we  exchange apples
then you and I will still each have  one apple. But  if you have an
idea and I have an idea and we exchange these ideas, then each of us
will have two ideas. -- George Bernard Shaw


Re: /etc/spamassassin or /var/lib/spamassassin?

2007-03-29 Thread Mark Adams
Ok, Fair enough.. I will change this listing to a whitelist_from_rcvd as
I assume this list is farmed by spammers. (Should be using that always
of course!)

Header below.

Envelope-to: [EMAIL PROTECTED]
Received: from hopnet.hopkins.co.uk ([10.0.0.23] helo=mail.hopkins.co.uk)
by hopkins.co.uk with esmtp (Exim 4.63)
(envelope-from [EMAIL PROTECTED])
id 1HWSt9-0005j0-CG
for [EMAIL PROTECTED]; Wed, 28 Mar 2007 08:48:11 +0100
Received: from [195.110.64.125] (helo=smtp.uk.colt.net)
by mail.hopkins.co.uk with esmtp (Exim 4.63)
(envelope-from [EMAIL PROTECTED])
id 1HWSt4-0005FR-5z
for [EMAIL PROTECTED]; Wed, 28 Mar 2007 08:48:11 +0100
Received: from mail.pdcmltd.co.uk (unknown [213.86.218.37])
by smtp.uk.colt.net (Postfix) with ESMTP
id 721B2126151; Wed, 28 Mar 2007 08:42:47 +0100 (BST)
Content-Class: urn:content-classes:message
Content-Transfer-Encoding: 7bit
Subject: Bury St Edmunds - Unit SU34
Importance: normal
Priority: normal
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=_=_NextPart_001_01C7710E.58A560A4
Date: Wed, 28 Mar 2007 08:54:43 +0100
Message-ID: [EMAIL PROTECTED]
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.607
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Bury St Edmunds - Unit SU34
thread-index: AcdxDTLGeReHjG9FQsG+HfB3+1kiMg==
From: Guy Graham [EMAIL PROTECTED]
To: James Stonard [EMAIL PROTECTED],
Steve Sawyer [EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
Lindsay,Peter [EMAIL PROTECTED],
Tony White [EMAIL PROTECTED]
Cc: Ivan Stephenson [EMAIL PROTECTED]
X-Spam-Score: 40
X-Spam-Report: hits=4.0 required=5.0 test=NO_RDNS,VOWEL_
X-Original-Recipient: [EMAIL PROTECTED]

This is a multi-part message in MIME format.




On Thu, Mar 29, 2007 at 03:03:10PM +0100, Anthony Peacock wrote:
 Hi,
 
 Because, more often than not, the reason that whitelisting is not 
 matching is that the headers you think are matching are not.  Or there 
 is a type in the whitelist.cf file.
 
 By not allowing us to see the entire header, you are making us guess.
 
 Mark Adams wrote:
 Thanks for you reply.
 
 Why would this make any difference?
 
 The headers checked for whitelist addresses are as follows: if
 Resent-From is set, use that; otherwise check all addresses taken from
 the following set of headers:
 
 Envelope-Sender
 Resent-Sender 
 X-Envelope-From
 From
 
 
 The only header that matches is From: which is the header I posted
 below.
 
 It seems as if it is not reading the whitelist_from entries at all. Or
 whitelisting is somehow disabled, is that possible?
 
 On Thu, Mar 29, 2007 at 02:19:06PM +0100, Anthony Peacock wrote:
 Hi,
 
 I would think we need to see the FULL headers of this example email 
 before anyone can comment.
 
 Mark Adams wrote:
 Hi,
 
 I have changed my reporting so it provides more information, and run
 --test-mode with a message marked as spam, that should be whitelisted
 
 whitelist.cf contents:
 
 whitelist_from [EMAIL PROTECTED]
 
 when running spamassassin -D --lint, I see the following line
 
 [18351] dbg: config: read file /etc/spamassassin/whitelist.cf
 
 But when running test mode I still do not get any reports on it being
 hit by the whitelist.
 
 Help!
 
 On Wed, Mar 28, 2007 at 03:51:43PM +0100, Mark Adams wrote:
 On Thu, Mar 22, 2007 at 04:40:27PM -0400, Bowie Bailey wrote:
 Mark Adams wrote:
 On Fri, Mar 02, 2007 at 10:06:51AM -0500, Bowie Bailey wrote:
 Is it scoring the whitelist lower or is it just not hitting?
 
 Can you post your whitelist rule and the headers from an example
 message?
 And why do you think this message should have hit the whitelist?  Show
 me the From line in the email.
 Hi, Header excerpt below. Once again help appreciated.
 
 From: Guy Graham [EMAIL PROTECTED]
 X-Spam-Score: 40
 X-Spam-Report: hits=4.0 required=5.0 test=NO_RDNS,VOWEL_FROM_7
 X-Original-Recipient: [EMAIL PROTECTED]
 
 
 
 -- 
 Anthony Peacock
 CHIME, Royal Free  University College Medical School
 WWW:http://www.chime.ucl.ac.uk/~rmhiajp/
 If you have an apple and I have  an apple and we  exchange apples
 then you and I will still each have  one apple. But  if you have an
 idea and I have an idea and we exchange these ideas, then each of us
 will have two ideas. -- George Bernard Shaw
 
 
 
 
 -- 
 Anthony Peacock
 CHIME, Royal Free  University College Medical School
 WWW:http://www.chime.ucl.ac.uk/~rmhiajp/
 If you have an apple and I have  an apple and we  exchange apples
 then you and I will still each have  one apple. But  if you have an
 idea and I have an idea and we exchange these ideas, then each of us
 will have two ideas. -- George Bernard Shaw


Re: /etc/spamassassin or /var/lib/spamassassin?

2007-03-29 Thread Mark Adams
I should also mention, we have a gateway mail server hence the extra
header. the spam scanning is done on the first header, so for proof this
is pasted below.

Regards,

From [EMAIL PROTECTED] Wed Mar 28 08:48:11 2007
Return-path: [EMAIL PROTECTED]
Envelope-to: [EMAIL PROTECTED]
Received: from [195.110.64.125] (helo=smtp.uk.colt.net)
by mail.hopkins.co.uk with esmtp (Exim 4.63)
(envelope-from [EMAIL PROTECTED])
id 1HWSt4-0005FR-5z
for [EMAIL PROTECTED]; Wed, 28 Mar 2007 08:48:11 +0100
Received: from mail.pdcmltd.co.uk (unknown [213.86.218.37])
by smtp.uk.colt.net (Postfix) with ESMTP
id 721B2126151; Wed, 28 Mar 2007 08:42:47 +0100 (BST)
Content-Class: urn:content-classes:message
Content-Transfer-Encoding: 7bit
Subject: Bury St Edmunds - Unit SU34
Importance: normal
Priority: normal
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=_=_NextPart_001_01C7710E.58A560A4
Date: Wed, 28 Mar 2007 08:54:43 +0100
Message-ID: [EMAIL PROTECTED]
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.607
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Bury St Edmunds - Unit SU34
thread-index: AcdxDTLGeReHjG9FQsG+HfB3+1kiMg==
From: Guy Graham [EMAIL PROTECTED]
To: James Stonard [EMAIL PROTECTED],
Steve Sawyer [EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
Lindsay,Peter [EMAIL PROTECTED],
Tony White [EMAIL PROTECTED]
Cc: Ivan Stephenson [EMAIL PROTECTED]
X-Redirect-To: [EMAIL PROTECTED]
X-Spam-Score: 40
X-Spam-Report: hits=4.0 required=5.0 test=NO_RDNS,VOWEL_FROM_7

This is a multi-part message in MIME format.


On Thu, Mar 29, 2007 at 03:11:15PM +0100, Mark Adams wrote:
 Ok, Fair enough.. I will change this listing to a whitelist_from_rcvd as
 I assume this list is farmed by spammers. (Should be using that always
 of course!)
 
 Header below.
 
 Envelope-to: [EMAIL PROTECTED]
 Received: from hopnet.hopkins.co.uk ([10.0.0.23] helo=mail.hopkins.co.uk)
 by hopkins.co.uk with esmtp (Exim 4.63)
 (envelope-from [EMAIL PROTECTED])
 id 1HWSt9-0005j0-CG
 for [EMAIL PROTECTED]; Wed, 28 Mar 2007 08:48:11 +0100
 Received: from [195.110.64.125] (helo=smtp.uk.colt.net)
 by mail.hopkins.co.uk with esmtp (Exim 4.63)
 (envelope-from [EMAIL PROTECTED])
 id 1HWSt4-0005FR-5z
 for [EMAIL PROTECTED]; Wed, 28 Mar 2007 08:48:11 +0100
 Received: from mail.pdcmltd.co.uk (unknown [213.86.218.37])
 by smtp.uk.colt.net (Postfix) with ESMTP
 id 721B2126151; Wed, 28 Mar 2007 08:42:47 +0100 (BST)
 Content-Class: urn:content-classes:message
 Content-Transfer-Encoding: 7bit
 Subject: Bury St Edmunds - Unit SU34
 Importance: normal
 Priority: normal
 MIME-Version: 1.0
 Content-Type: multipart/alternative;
 boundary=_=_NextPart_001_01C7710E.58A560A4
 Date: Wed, 28 Mar 2007 08:54:43 +0100
 Message-ID: [EMAIL PROTECTED]
 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.607
 X-MS-Has-Attach:
 X-MS-TNEF-Correlator:
 Thread-Topic: Bury St Edmunds - Unit SU34
 thread-index: AcdxDTLGeReHjG9FQsG+HfB3+1kiMg==
 From: Guy Graham [EMAIL PROTECTED]
 To: James Stonard [EMAIL PROTECTED],
 Steve Sawyer [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 [EMAIL PROTECTED],
 Lindsay,Peter [EMAIL PROTECTED],
 Tony White [EMAIL PROTECTED]
 Cc: Ivan Stephenson [EMAIL PROTECTED]
 X-Spam-Score: 40
 X-Spam-Report: hits=4.0 required=5.0 test=NO_RDNS,VOWEL_
 X-Original-Recipient: [EMAIL PROTECTED]
 
 This is a multi-part message in MIME format.
 
 
 
 
 On Thu, Mar 29, 2007 at 03:03:10PM +0100, Anthony Peacock wrote:
  Hi,
  
  Because, more often than not, the reason that whitelisting is not 
  matching is that the headers you think are matching are not.  Or there 
  is a type in the whitelist.cf file.
  
  By not allowing us to see the entire header, you are making us guess.
  
  Mark Adams wrote:
  Thanks for you reply.
  
  Why would this make any difference?
  
  The headers checked for whitelist addresses are as follows: if
  Resent-From is set, use that; otherwise check all addresses taken from
  the following set of headers:
  
  Envelope-Sender
  Resent-Sender 
  X-Envelope-From
  From
  
  
  The only header that matches is From: which is the header I posted
  below.
  
  It seems as if it is not reading the whitelist_from entries at all. Or
  whitelisting is somehow disabled, is that possible?
  
  On Thu, Mar 29, 2007 at 02:19:06PM +0100, Anthony Peacock wrote:
  Hi,
  
  I would think we need to see the FULL headers of this example email 
  before anyone can comment.
  
  Mark Adams wrote:
  Hi,
  
  I have changed my reporting so it provides more information, and run
  --test-mode with a message marked as spam, that should be whitelisted
  
  whitelist.cf contents:
  
  whitelist_from [EMAIL PROTECTED]
  
  when running spamassassin -D --lint, I see the following line
  
  [18351] dbg: config: read file 

Re: /etc/spamassassin or /var/lib/spamassassin?

2007-03-29 Thread Anthony Peacock

Hi,

Nothing jumps out at me just looking at that.  You said you ran --lint 
with -D, did you run -t with -D?


Your Spam report is truncated so we can't see which rules are hit.  When 
you run spamassassin in test mode you should see a fuller report of the 
rules that hit.


Mark Adams wrote:

Ok, Fair enough.. I will change this listing to a whitelist_from_rcvd as
I assume this list is farmed by spammers. (Should be using that always
of course!)

Header below.

Envelope-to: [EMAIL PROTECTED]
Received: from hopnet.hopkins.co.uk ([10.0.0.23] helo=mail.hopkins.co.uk)
by hopkins.co.uk with esmtp (Exim 4.63)
(envelope-from [EMAIL PROTECTED])
id 1HWSt9-0005j0-CG
for [EMAIL PROTECTED]; Wed, 28 Mar 2007 08:48:11 +0100
Received: from [195.110.64.125] (helo=smtp.uk.colt.net)
by mail.hopkins.co.uk with esmtp (Exim 4.63)
(envelope-from [EMAIL PROTECTED])
id 1HWSt4-0005FR-5z
for [EMAIL PROTECTED]; Wed, 28 Mar 2007 08:48:11 +0100
Received: from mail.pdcmltd.co.uk (unknown [213.86.218.37])
by smtp.uk.colt.net (Postfix) with ESMTP
id 721B2126151; Wed, 28 Mar 2007 08:42:47 +0100 (BST)
Content-Class: urn:content-classes:message
Content-Transfer-Encoding: 7bit
Subject: Bury St Edmunds - Unit SU34
Importance: normal
Priority: normal
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary=_=_NextPart_001_01C7710E.58A560A4
Date: Wed, 28 Mar 2007 08:54:43 +0100
Message-ID: [EMAIL PROTECTED]
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.607
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Bury St Edmunds - Unit SU34
thread-index: AcdxDTLGeReHjG9FQsG+HfB3+1kiMg==
From: Guy Graham [EMAIL PROTECTED]
To: James Stonard [EMAIL PROTECTED],
Steve Sawyer [EMAIL PROTECTED],
[EMAIL PROTECTED],
[EMAIL PROTECTED],
Lindsay,Peter [EMAIL PROTECTED],
Tony White [EMAIL PROTECTED]
Cc: Ivan Stephenson [EMAIL PROTECTED]
X-Spam-Score: 40
X-Spam-Report: hits=4.0 required=5.0 test=NO_RDNS,VOWEL_
X-Original-Recipient: [EMAIL PROTECTED]

This is a multi-part message in MIME format.




On Thu, Mar 29, 2007 at 03:03:10PM +0100, Anthony Peacock wrote:

Hi,

Because, more often than not, the reason that whitelisting is not 
matching is that the headers you think are matching are not.  Or there 
is a type in the whitelist.cf file.


By not allowing us to see the entire header, you are making us guess.

Mark Adams wrote:

Thanks for you reply.

Why would this make any difference?

The headers checked for whitelist addresses are as follows: if
Resent-From is set, use that; otherwise check all addresses taken from
the following set of headers:

Envelope-Sender
Resent-Sender 
X-Envelope-From

From


The only header that matches is From: which is the header I posted
below.

It seems as if it is not reading the whitelist_from entries at all. Or
whitelisting is somehow disabled, is that possible?

On Thu, Mar 29, 2007 at 02:19:06PM +0100, Anthony Peacock wrote:

Hi,

I would think we need to see the FULL headers of this example email 
before anyone can comment.


Mark Adams wrote:

Hi,

I have changed my reporting so it provides more information, and run
--test-mode with a message marked as spam, that should be whitelisted

whitelist.cf contents:

whitelist_from [EMAIL PROTECTED]

when running spamassassin -D --lint, I see the following line

[18351] dbg: config: read file /etc/spamassassin/whitelist.cf

But when running test mode I still do not get any reports on it being
hit by the whitelist.

Help!

On Wed, Mar 28, 2007 at 03:51:43PM +0100, Mark Adams wrote:

On Thu, Mar 22, 2007 at 04:40:27PM -0400, Bowie Bailey wrote:

Mark Adams wrote:

On Fri, Mar 02, 2007 at 10:06:51AM -0500, Bowie Bailey wrote:

Is it scoring the whitelist lower or is it just not hitting?

Can you post your whitelist rule and the headers from an example
message?

And why do you think this message should have hit the whitelist?  Show
me the From line in the email.

Hi, Header excerpt below. Once again help appreciated.

From: Guy Graham [EMAIL PROTECTED]
X-Spam-Score: 40
X-Spam-Report: hits=4.0 required=5.0 test=NO_RDNS,VOWEL_FROM_7
X-Original-Recipient: [EMAIL PROTECTED]


--
Anthony Peacock
CHIME, Royal Free  University College Medical School
WWW:http://www.chime.ucl.ac.uk/~rmhiajp/
If you have an apple and I have  an apple and we  exchange apples
then you and I will still each have  one apple. But  if you have an
idea and I have an idea and we exchange these ideas, then each of us
will have two ideas. -- George Bernard Shaw




--
Anthony Peacock
CHIME, Royal Free  University College Medical School
WWW:http://www.chime.ucl.ac.uk/~rmhiajp/
If you have an apple and I have  an apple and we  exchange apples
then you and I will still each have  one apple. But  if you have an
idea and I have an idea and we exchange these ideas, then each of us
will have two ideas. -- George Bernard Shaw






--
Anthony Peacock
CHIME, Royal Free  

Re: Big trouble

2007-03-29 Thread Theo Van Dinter
On Thu, Mar 29, 2007 at 12:37:56PM +0100, Justin Mason wrote:
  Could it be that the combined-HIB.dnsiplists.completewhois.com
  chokes under the load of a GA/perceptron run and stops responding?
  I've seen it unresponsive yesterday for about half an hour.
 
 odd. I guess that's a possibility... :(

Well, no actually, it couldn't possibly have anything to do with that --
the GA and perceptron simply process log files, they don't make queries.

If you mean the score generation run, which finished weeks ago btw, it's
possible but super highly unlikely.  We only have a handful of people
doing a run, and at max any of them are only going to be doing maybe 8
or 10 queries/sec, but much more likely it'd be 2-3 queries/sec.

If RBL servers can't handle the massive 30 queries/sec that we'd be
putting out, find another RBL. :)

-- 
Randomly Selected Tagline:
Has everybody had a cosmic breath?  Ok, let's continue. - Susan Vick


pgpGYqTZp4CdV.pgp
Description: PGP signature


Re: Using Postfix always_bcc for catching messages

2007-03-29 Thread Robert Fitzpatrick
On Thu, 2007-03-29 at 16:39 +0300, Henrik Krohns wrote:
 On Thu, Mar 29, 2007 at 09:25:55AM -0400, Robert Fitzpatrick wrote:
  I am running Postfix 2.3.5 with SA 3.1.7 and amavisd-new. If I catch a
  copy of all messages using the Postfix option of always_bcc, will this
  work when learning those messages? I am wondering if the bcc address
  being in the header of all those messages will cause any learning issues
  regarding the address.
 
 Use amavisd-new clean_quarantine method, it's more logical way imho. This
 way you end up with a single mail per file. And you can find messages for
 learning easily by quarantine ID.
 
 More info and scripts by request. :)

Got your script, all works perfectly, thanks! My question is how do I
know which archived id's to feed to your script to learn as spam, ham,
etc?

-- 
Robert



SpamAssassin as a filter, without running a mail server?

2007-03-29 Thread Chris Rouffer
Hello,

I've read the FAQ, and searched on Google for a couple of days now, but
can't seem to find the answer I need.  It may be that I'm simply asking the
wrong question, or misunderstanding what I read, but hopefully someone here
can help me.

I've been given the job of adding an Internet Content filter, firewall, and
spam filter to a small network in a non-profit organizaiton.  Right now
there are about 5 email accounts, and their mail server is at their
web-host.  Is it possible for me to run SpamAssassin as a filter on the
firewall box, so that it simply filters email when the user retrieves it
from the mail server:

RemoteMailServer---[Firewall/Spamfilter/ContentFilter]-User's
Machines

I have no access to the RemoteMailServer.  The
[Firewall/Spamfilter/ContentFilter] is a Ubuntu Dapper box running Shorewall
and DansGuardian.  The user machines are Win2k and WindowsXP.  I'd prefer
not to mess with the user accounts, if possible, so that we can add new
users or change email passwords without playing with the firewall box.

With DansGuardian, I forward all http traffic to a specific port, it's
filtered by DansGuardian, then forwarded on.  Can I do the same thing with
SpamAssassin?  Forward all inbound smtp traffic through some sort of mail
proxy and SA, or am I approaching this completely wrong?

Thanks for your help.

Chris





Amavis / SA / ClamAV

2007-03-29 Thread Jonathan M Metts
How many people use an Amavis setup to send messages through SA and 
possibly ClamAV?  Over the past month I have been trying to tweak my 
setup that has been running Postfix, SA, Cyrus-IMAP, and Sieve for 
awhile (running Debian), but wanted to add ClamAV to the mix (not sure 
why I didn't from the start, but oh well).


Needless to say, most methods I am finding are using Amavis.  My SA 
setup is working great, so I am not sure if I want to switch it up and 
have Amavis control everything as far as SA and ClamAV is concerned. 
This is primarily because I am not familiar with it, but also because my 
first attempt in using it failed earlier today.  I have a relayhost 
setup that uses TLS, and it was causing problems with Amavis trying to 
route mail back to Postfix without TLS (or that is what I think the 
problem was).


Just curious as to how many people use Amavis vs simply using SA and/or 
ClamAV.


Jonathan Metts


sa-update too quiet

2007-03-29 Thread Craig M

Could future versions of sa-update please be a little more vocal?  

Like maybe no new updates found | loaded xxx new updates | error xxx

Exit codes are not evident when simply typing sa-update on the command
line...

-- 
View this message in context: 
http://www.nabble.com/sa-update-too-quiet-tf3487700.html#a9738309
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.



Re: Amavis / SA / ClamAV

2007-03-29 Thread Noel Jones

On 3/29/07, Jonathan M Metts [EMAIL PROTECTED] wrote:

How many people use an Amavis setup to send messages through SA and
possibly ClamAV?  Over the past month I have been trying to tweak my
setup that has been running Postfix, SA, Cyrus-IMAP, and Sieve for
awhile (running Debian), but wanted to add ClamAV to the mix (not sure
why I didn't from the start, but oh well).

Needless to say, most methods I am finding are using Amavis.  My SA
setup is working great, so I am not sure if I want to switch it up and
have Amavis control everything as far as SA and ClamAV is concerned.
This is primarily because I am not familiar with it, but also because my
first attempt in using it failed earlier today.  I have a relayhost
setup that uses TLS, and it was causing problems with Amavis trying to
route mail back to Postfix without TLS (or that is what I think the
problem was).

Just curious as to how many people use Amavis vs simply using SA and/or
ClamAV.

Jonathan Metts



amavisd-new is very popular with postfix users - widely used and well
supported by the author on the amavis-users mail list.  But note well:
there are numerous other products with similar names.  AFAIK
amavisd-new is the only amavis* that is currently maintained and I
would suggest not using any other variant.

See the amavisd-new web site for a detailed How-to on integrating with
postfix.  If you have trouble, ask on the amavis-users list - they're
a helpful bunch.

It's also possible to use amavisd-new only for clamav and keep your
existing SA setup if it's working well for you.

There are other choices for integrating clamav into your system,
notably clamsmtp.

amavisd-new  http://www.ijs.si/software/amavisd/
clamsmtp   http://memberwebs.com/nielsen/software/clamsmtp/


--
Noel Jones


Re: sa-update too quiet

2007-03-29 Thread Theo Van Dinter
On Thu, Mar 29, 2007 at 10:14:15AM -0700, Craig M wrote:
 Could future versions of sa-update please be a little more vocal?  

There's a RFE in bugzilla about mailing a report, perhaps a verbose option,
etc.  Patches welcome. :)

-- 
Randomly Selected Tagline:
The more RAM you have, the better -- M. Chambers


pgpJLUaC6CiLx.pgp
Description: PGP signature


Re: Who is APEWS.ORG

2007-03-29 Thread Jonas Eckerman

Marc Perkel wrote:


Here's what they have on the /24 block that I'm part of.


Systems running abusive Spamdefense on other systems expense. (CR, SAV 
or similar crap)

 for running abusive and selfish SAV from there.

Are you using (SMTP) Sender Address Verifications?
(Or Challenge Response?)

If you are, you *will* be blacklisted by some systems and DNSBLs. 
Probably not only apews (whoever they are).


You might see that as filtering, but to the systems (including 
both spam traps and SMTP servers) you connect to in order to 
verify falsified senders your system looks and acts like a 
spammer or dictionary attacker.


/Jonas

--
Jonas Eckerman, FSDB  Fruktträdet
http://whatever.frukt.org/
http://www.fsdb.org/
http://www.frukt.org/



RE: sa-update too quiet

2007-03-29 Thread Bret Miller
 Could future versions of sa-update please be a little more vocal?

 Like maybe no new updates found | loaded xxx new updates | error xxx

 Exit codes are not evident when simply typing sa-update on the command
 line...

I created my own simple batch file for windows.
It runs sa-update.
Checks the return code.
Creates a message (some/no updates).
GREP's some basic info from the debug output so you can tell what got
updated.
And using a perl script, sends the message, report, and debug output to
me in e-mail every morning.

All this would be easy to do on any OS, I presume since I didn't use any
windows-specific tools except for the batch language itself.

Here's what the batch file looks like (watch the line wrapping):

call sa-update --channelfile sa-update-channels.txt --gpgkey 856AA88A -D
1sa-update-out.txt 2sa-update-dbg.txt
if errorlevel 1 goto noupd
echo Some rules updated.sa-update-msg.txt
goto makelog
:noupd
echo No updates available.sa-update-msg.txt
:makelog
echo.sa-update-msg.txt
echo Log files attached.sa-update-msg.txt

c:\bat\grep -F -f sa-update-grep.txt sa-update-dbg.txt
sa-update-log.txt

perl sa-update-send.plsa-update-msg.txt

-
And here's the perl script to send the e-mail:


# E-mail notification settings. The download/version log is sent plus
# if auto updating, the SA lint stdout and stderr are sent.
# E-mail is only sent if there is a newer version of at least one rule
file.
# Set $mail_host to '' for no notification.
my $from_address = '[EMAIL PROTECTED]';
my $to_address = '[EMAIL PROTECTED]';
my $mail_host = 'mail.wcg.org';
my $subject = 'SpamAssassin Rule Updates';

use MIME::Lite;
use NET::SMTP;

my $message_body = ;
while ()
{
  $message_body .= $_
}


if ($mail_host) {
  # Notify admins
  $msg = MIME::Lite-new (
From = $from_address,
To = $to_address,
Subject = $subject,
Type ='multipart/mixed'
  ) or die Error creating message: $!\n;

  $msg-attach (
Type = 'TEXT',
Data = $message_body
  ) or die Error adding the text message part: $!\n;

  $msg-attach (
 Type = 'text/plain',
 Path = sa-update-log.txt,
 Filename = sa-update-log.txt,
 Disposition = 'attachment'
  ) or die Error adding sa-update-log.txt: $!\n;

  $msg-attach (
 Type = 'text/plain',
 Path = sa-update-dbg.txt,
 Filename = sa-update-dbg.txt,
 Disposition = 'attachment'
  ) or die Error adding sa-update-dbg.txt: $!\n;

  $msg-attach (
 Type = 'text/plain',
 Path = sa-update-out.txt,
 Filename = sa-update-out.txt,
 Disposition = 'attachment'
  ) or die Error adding sa-update-out.txt: $!\n;

  MIME::Lite-send('smtp', $mail_host, Timeout=60);
  $msg-send;
}

-
HTH,
Bret





Re: SpamAssassin as a filter, without running a mail server?

2007-03-29 Thread John D. Hardin
On Thu, 29 Mar 2007, Chris Rouffer wrote:

 I've read the FAQ, and searched on Google for a couple of days
 now, but can't seem to find the answer I need.  It may be that I'm
 simply asking the wrong question, or misunderstanding what I read,
 but hopefully someone here can help me.
 
 I've been given the job of adding an Internet Content filter,
 firewall, and spam filter to a small network in a non-profit
 organizaiton.  Right now there are about 5 email accounts, and
 their mail server is at their web-host.  Is it possible for me to
 run SpamAssassin as a filter on the firewall box, so that it
 simply filters email when the user retrieves it from the mail
 server:
 
 RemoteMailServer---[Firewall/Spamfilter/ContentFilter]-User's
 Machines
 
 I have no access to the RemoteMailServer.

It sounds to me like you have a few options:

(1) set up local mail accounts, and feed them off the hosted mailboxes
using fetchmail. This would let you shim SA et. al. into the local
delivery path. Users would have to reconfigure their POP/IMAP settings
to talk to the local mail server so it wouldn't be a change that is
*completely* transparent to them.

(2) get some sort of POP proxy that allows messages to be filtered by
SA (and possibly virus scanned). I don't know if the POP protocol
lends itself to refusing to retrieve a message for adminstrative
reasons, so that the proxy could retrieve the message and refuse to
deliver it to the client if it scores high or is contaminated.

Unfortunately I can't recommend any such as I've never had to
implement one, but searching on pop proxy or pop3 proxy might
help. Somebody else on the list may have direct experience and be 
able to offer better advice.

(3) go whole hog and set up a local MTA and mailbox server that is
under your control, and point your domain's MX at it. That lets you do
anything you want.

Sorry if you've already figured all these options out for yourself... 
:)

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  You are in a maze of twisty little protocols,
  all written by Microsoft.
--
 15 days until Thomas Jefferson's 264th Birthday



Re: sa-update too quiet

2007-03-29 Thread Steve Lindemann

Bret Miller wrote:
Could future versions of sa-update please be a little more vocal?  


Like maybe no new updates found | loaded xxx new updates | error xxx

Exit codes are not evident when simply typing sa-update on the command
line...


I created my own simple batch file for windows.
It runs sa-update.
Checks the return code.
Creates a message (some/no updates).
GREP's some basic info from the debug output so you can tell what got
updated.
And using a perl script, sends the message, report, and debug output to
me in e-mail every morning.

All this would be easy to do on any OS, I presume since I didn't use any
windows-specific tools except for the batch language itself.

Here's what the batch file looks like (watch the line wrapping):

call sa-update --channelfile sa-update-channels.txt --gpgkey 856AA88A -D
1sa-update-out.txt 2sa-update-dbg.txt
if errorlevel 1 goto noupd
echo Some rules updated.sa-update-msg.txt
goto makelog
:noupd
echo No updates available.sa-update-msg.txt
:makelog
echo.sa-update-msg.txt
echo Log files attached.sa-update-msg.txt

c:\bat\grep -F -f sa-update-grep.txt sa-update-dbg.txt

sa-update-log.txt


perl sa-update-send.plsa-update-msg.txt

-
And here's the perl script to send the e-mail:


# E-mail notification settings. The download/version log is sent plus
# if auto updating, the SA lint stdout and stderr are sent.
# E-mail is only sent if there is a newer version of at least one rule
file.
# Set $mail_host to '' for no notification.
my $from_address = '[EMAIL PROTECTED]';
my $to_address = '[EMAIL PROTECTED]';
my $mail_host = 'mail.wcg.org';
my $subject = 'SpamAssassin Rule Updates';

use MIME::Lite;
use NET::SMTP;

my $message_body = ;
while ()
{
  $message_body .= $_
}


if ($mail_host) {
  # Notify admins
  $msg = MIME::Lite-new (
From = $from_address,
To = $to_address,
Subject = $subject,
Type ='multipart/mixed'
  ) or die Error creating message: $!\n;

  $msg-attach (
Type = 'TEXT',
Data = $message_body
  ) or die Error adding the text message part: $!\n;

  $msg-attach (
 Type = 'text/plain',
 Path = sa-update-log.txt,
 Filename = sa-update-log.txt,
 Disposition = 'attachment'
  ) or die Error adding sa-update-log.txt: $!\n;

  $msg-attach (
 Type = 'text/plain',
 Path = sa-update-dbg.txt,
 Filename = sa-update-dbg.txt,
 Disposition = 'attachment'
  ) or die Error adding sa-update-dbg.txt: $!\n;

  $msg-attach (
 Type = 'text/plain',
 Path = sa-update-out.txt,
 Filename = sa-update-out.txt,
 Disposition = 'attachment'
  ) or die Error adding sa-update-out.txt: $!\n;

  MIME::Lite-send('smtp', $mail_host, Timeout=60);
  $msg-send;
}

-
HTH,
Bret





Been using this script in a cron job (in the file 
/etc/dron.daily/sa-update.cron) for a bit now without any troubles, 
forget where I got it, might be I even wrote it myself, can't remember...


#!/bin/sh
#
# update spamassassin
#

sa-update
exitcode=$?
if [ $exitcode -eq 0 ]
then
  echo Spamassassin rules updated.
  /etc/init.d/spamassassin restart
  spamassassin --lint
  exitcode2=$?
  if [ $exitcode2 -eq 0 ]
  then
echo Lint passed without error.
  fi
  exit
fi

if [ $exitcode -eq 1 ]
then
  echo Spamassassin update run - no new rules today.
  exit
fi

if [ $exitcode -ge 4 ]
then
  echo Spamassassin update exited with error code of $exitcode
  exit
fi
#--eof--

--
Steve Lindemann __
Network Administrator  //\\  ASCII Ribbon Campaign
Marmot Library Network, Inc.   \\//  against HTML/RTF email,
  url: http://www.marmot.org   //\\  vCards  M$ attachments
email: mailto:[EMAIL PROTECTED]
voice: +1.970.242.3331 ext 16
  fax: +1.970.245.7854



Re: Who is APEWS.ORG

2007-03-29 Thread John D. Hardin
On Thu, 29 Mar 2007, Jonas Eckerman wrote:

 Are you using (SMTP) Sender Address Verifications?
 
 You might see that as filtering, but to the systems (including
 both spam traps and SMTP servers) you connect to in order to
 verify falsified senders your system looks and acts like a spammer
 or dictionary attacker.

Can anyone recommend a non-abusive way to validate email addresses?

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  You are in a maze of twisty little protocols,
  all written by Microsoft.
--
 15 days until Thomas Jefferson's 264th Birthday



Re: Who is APEWS.ORG

2007-03-29 Thread maillist

John D. Hardin wrote:

On Thu, 29 Mar 2007, Jonas Eckerman wrote:

  

Are you using (SMTP) Sender Address Verifications?

You might see that as filtering, but to the systems (including
both spam traps and SMTP servers) you connect to in order to
verify falsified senders your system looks and acts like a spammer
or dictionary attacker.



Can anyone recommend a non-abusive way to validate email addresses?

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  You are in a maze of twisty little protocols,
  all written by Microsoft.
--
 15 days until Thomas Jefferson's 264th Birthday

  


Send an email to [EMAIL PROTECTED], and ask them?


Re: Who is APEWS.ORG

2007-03-29 Thread Marc Perkel



Jonas Eckerman wrote:



Are you using (SMTP) Sender Address Verifications?
(Or Challenge Response?)

If you are, you *will* be blacklisted by some systems and DNSBLs. 
Probably not only apews (whoever they are).


You might see that as filtering, but to the systems (including both 
spam traps and SMTP servers) you connect to in order to verify 
falsified senders your system looks and acts like a spammer or 
dictionary attacker.


/Jonas



Yes - I am - and I'm going to continue to use it because SAV works very 
well when done right and it is not abusive. What is abusive is when 
blocklists that say they are spam related blocklists are used to block 
for reasons other than spam. SAV is a very effective technology and it 
is not abusinve and I'm not going to be bullied out of using it.




Sender Address Verification is NOT abouse and very effective

2007-03-29 Thread Marc Perkel



John D. Hardin wrote:

Can anyone recommend a non-abusive way to validate email addresses?



Yes - Sender Address Verification (SAV) works very well. It is not 
abusive. Especially the way Exim implements it.




Re: sa-update too quiet

2007-03-29 Thread Chris St. Pierre

On Thu, 29 Mar 2007, Craig M wrote:


Could future versions of sa-update please be a little more vocal?

Like maybe no new updates found | loaded xxx new updates | error xxx

Exit codes are not evident when simply typing sa-update on the command
line...


It is the Unix Way for commands to be silent on success.  You will
understand why when you have hundreds of cronjobs running every night
(or every hour, or every minute) and you try to check your email.

Any verbosity added to sa-update should be only at the behest of an
extra argument.  Such preserves the sanity of Unix SAs everywhere.

Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University

Never send mail to [EMAIL PROTECTED]



Re: Dumping and restoring the AWL?

2007-03-29 Thread Theo Van Dinter
On Thu, Mar 29, 2007 at 12:41:47PM -0700, Adam Harrison wrote:
 I see I can use sa-learn to dump and restore the Bayes db. Is there an
 equivalent for the AWL db?

There's no SA equivilent.  You can use the BerkeleyDB tools though.  Look at
db_dump and db_recover.

-- 
Randomly Selected Tagline:
Remember that the next time when you're using virgin RAM, as opposed
 to RAM that's been touched. - Pat Beirnes


pgptVzGx2CMW6.pgp
Description: PGP signature


Re: Sender Address Verification is NOT abouse and very effective

2007-03-29 Thread John D. Hardin
On Thu, 29 Mar 2007, Marc Perkel wrote:

 John D. Hardin wrote:
  Can anyone recommend a non-abusive way to validate email addresses?
 
 Yes - Sender Address Verification (SAV) works very well. It is not 
 abusive. Especially the way Exim implements it.

I am not necessarily speaking of the context of a MTA.

Example pulled out of thin air: if you had a corpus and you wanted to 
check the addresses within it, what would be a polite way to do so? 
Just open an SMTP connection and see what the far end says to RCPT 
TO:, but put a tight rate limit on it?

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  You are in a maze of twisty little protocols,
  all written by Microsoft.
--
 15 days until Thomas Jefferson's 264th Birthday



Re: Sender Address Verification is NOT abouse and very effective

2007-03-29 Thread Marc Perkel



John D. Hardin wrote:

On Thu, 29 Mar 2007, Marc Perkel wrote:

  

John D. Hardin wrote:


Can anyone recommend a non-abusive way to validate email addresses?
  
Yes - Sender Address Verification (SAV) works very well. It is not 
abusive. Especially the way Exim implements it.



I am not necessarily speaking of the context of a MTA.

Example pulled out of thin air: if you had a corpus and you wanted to 
check the addresses within it, what would be a polite way to do so? 
Just open an SMTP connection and see what the far end says to RCPT 
TO:, but put a tight rate limit on it?


  


Yes - that would work. Don't kit any one server faster than once a second.


Re: Sender Address Verification is NOT abouse and very effective

2007-03-29 Thread Rick Macdougall

Marc Perkel wrote:
 

I am not necessarily speaking of the context of a MTA.

Example pulled out of thin air: if you had a corpus and you wanted to 
check the addresses within it, what would be a polite way to do so? 
Just open an SMTP connection and see what the far end says to RCPT 
TO:, but put a tight rate limit on it?


  


Yes - that would work. Don't kit any one server faster than once a second.
And make a new connection per check.  My server will start replying 
invalid address to everything once 5 invalid attempts with the same 
connection are made.


Just FYI.

Regards,

Rick




proper whitelist to stop spoofing

2007-03-29 Thread Bill McCormick

Hello:

my user_prefs has:
whitelist_from [EMAIL PROTECTED]
whitelist_from_rcvd [EMAIL PROTECTED] hrndva.rr.com

A spammer spoofed my [EMAIL PROTECTED] so the whitelist gave it a -100.

my system is:
pop/fetchamil-qmail+=+--vpopmail--procmail--maildir
   | |
   +-qmail-scanner-+
  (spamassassin+clamav)

Questions:
1. Is my whitelist correct for making sure only users from workdoamin
delivered by hrndva.rr.com are WL'd?
2. Can my system even see hrndva.rr.com from all switching around?
3. What is whitelist_from_rcvd looking at?


I tried to send the header, but it keeps getting this message rejected.


TIA,

Bill


Re: proper whitelist to stop spoofing

2007-03-29 Thread John D. Hardin
On Thu, 29 Mar 2007, Bill McCormick wrote:

 whitelist_from [EMAIL PROTECTED]

Lose that, it is trivially easy to forge.

 A spammer spoofed my [EMAIL PROTECTED] so the whitelist gave it
 a -100.

See? :)

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  You are in a maze of twisty little protocols,
  all written by Microsoft.
--
 15 days until Thomas Jefferson's 264th Birthday



Re: Check to see if my server is on Blacklists?

2007-03-29 Thread Don Ireland

Thanks a bunch EVERYONE who helped me with this!

I contacted my host with this.  The tech support rep must have been able 
to get the server removed from psbl because it's not there anymore.  And 
YES it was listed because when I used the link that someone provide for 
www.robtex.com, it showed up there.  The tech has promised that the 
server will be removed from the SCBL by tomorrow.


Don Ireland wrote:

Is there some place I can go and see if my email sever is on a blacklist?

I just received a msg that it's on at least one--psbl.

Thanks.

Don Ireland



  


Re: Sender Address Verification is NOT abouse and very effective

2007-03-29 Thread John Rudd

John D. Hardin wrote:

On Thu, 29 Mar 2007, Marc Perkel wrote:


John D. Hardin wrote:

Can anyone recommend a non-abusive way to validate email addresses?
Yes - Sender Address Verification (SAV) works very well. It is not 
abusive. Especially the way Exim implements it.


I am not necessarily speaking of the context of a MTA.

Example pulled out of thin air: if you had a corpus and you wanted to 
check the addresses within it, what would be a polite way to do so? 
Just open an SMTP connection and see what the far end says to RCPT 
TO:, but put a tight rate limit on it?


If someone was doing that to my server, I would consider it an attack, 
and blacklist them.


There is no polite way to do it.  It's not polite to take advantage of 
someone else's resources without their permission.  That's exactly what 
SAV does.


SAV is the same thing as TDMA/Challege-Response, only the challenge is 
to the machine instead of the human.  Most of the same arguments apply.


Re: Sender Address Verification is NOT abouse and very effective

2007-03-29 Thread Marc Perkel



John Rudd wrote:

John D. Hardin wrote:

On Thu, 29 Mar 2007, Marc Perkel wrote:


John D. Hardin wrote:

Can anyone recommend a non-abusive way to validate email addresses?
Yes - Sender Address Verification (SAV) works very well. It is not 
abusive. Especially the way Exim implements it.


I am not necessarily speaking of the context of a MTA.

Example pulled out of thin air: if you had a corpus and you wanted to 
check the addresses within it, what would be a polite way to do so? 
Just open an SMTP connection and see what the far end says to RCPT 
TO:, but put a tight rate limit on it?


If someone was doing that to my server, I would consider it an attack, 
and blacklist them.


There is no polite way to do it.  It's not polite to take advantage of 
someone else's resources without their permission.  That's exactly 
what SAV does.


SAV is the same thing as TDMA/Challege-Response, only the challenge is 
to the machine instead of the human.  Most of the same arguments apply.




The question was about a corpus of email. I assume that it means that 
the email is from multiple sources. So I doubt that someone running it 
would even be detectable buy anyone else.


RE: proper whitelist to stop spoofing

2007-03-29 Thread Michael Scheidell


 -Original Message-
 From: Bill McCormick [mailto:[EMAIL PROTECTED] 
 Sent: Thursday, March 29, 2007 8:51 PM
 To: users@spamassassin.apache.org
 Subject: proper whitelist to stop spoofing
 
 
 Hello:
 
 my user_prefs has:

At least get rid of this one:
 whitelist_from [EMAIL PROTECTED]


 whitelist_from_rcvd [EMAIL PROTECTED] hrndva.rr.com
 
 A spammer spoofed my [EMAIL PROTECTED] so the whitelist 
 gave it a -100.

Smart spammer.  How did they know? Was it one of your domains? Or was it
your domain?
_
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_


Re: proper whitelist to stop spoofing

2007-03-29 Thread Bill McCormick

Michael Scheidell wrote:



-Original Message-
From: Bill McCormick [mailto:[EMAIL PROTECTED] 
Sent: Thursday, March 29, 2007 8:51 PM

To: users@spamassassin.apache.org
Subject: proper whitelist to stop spoofing


Hello:

my user_prefs has:


At least get rid of this one:

whitelist_from [EMAIL PROTECTED]




whitelist_from_rcvd [EMAIL PROTECTED] hrndva.rr.com

A spammer spoofed my [EMAIL PROTECTED] so the whitelist 
gave it a -100.


Smart spammer.  How did they know? Was it one of your domains? Or was it
your domain?

It was the domain of company where I work.

Thanks for all the speedy replies!!



Re: Using Postfix always_bcc for catching messages

2007-03-29 Thread Robert Fitzpatrick
On Thu, 2007-03-29 at 18:31 +0300, Henrik Krohns wrote:
 On Thu, Mar 29, 2007 at 11:22:05AM -0400, Robert Fitzpatrick wrote:
  Got your script, all works perfectly, thanks! My question is how do I
  know which archived id's to feed to your script to learn as spam, ham,
  etc?
 
 Actually I'm not sure what your original question is now. If you meant
 autolearning or such, then the script is wrong ofcourse.
 
 My script is for relearning manually false positives or spams. In that
 case you should already know what to do. :)

Yes, trying to come up with an semi-auto learn scheme. I am trying to
use cyrus sieve filters to come up with as much ham and spam as
possible, hence, trying to bcc a cyrus mailbox. Thanks for the script
though, I am sure it is going to come in handy. I believe I'll archive
as you suggest, let my sieve filters confirm ham and spam, delete the
rest from my mailbox.

So, do you think the bcc header will effect learning? That was my
original question.

-- 
Robert



Re: sa-update too quiet

2007-03-29 Thread Chris St. Pierre

On Fri, 30 Mar 2007, Henrik Krohns wrote:


On Thu, Mar 29, 2007 at 03:50:52PM -0500, Chris St. Pierre wrote:

On Thu, 29 Mar 2007, Craig M wrote:


Could future versions of sa-update please be a little more vocal?

Like maybe no new updates found | loaded xxx new updates | error xxx

Exit codes are not evident when simply typing sa-update on the command
line...


It is the Unix Way for commands to be silent on success.  You will
understand why when you have hundreds of cronjobs running every night
(or every hour, or every minute) and you try to check your email.


I guess I'm stating the obvious, but /dev/null 21 works just fine here.


Actually, it doesn't.  Dumping all output ensures that you don't see
any errors that occur either.  A command should be silent on success,
noisy on error.  I shouldn't have to worry about selectively
discarding output in order to keep my inbox sane.  (Or my shell
scripts quiet, or...)

Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University



Re: Who is APEWS.ORG

2007-03-29 Thread Chris St. Pierre

On Thu, 29 Mar 2007, John D. Hardin wrote:


Can anyone recommend a non-abusive *automated* way to validate email
addresses?


Maybe you should ask the spammers. :)

Seriously, though, there are basically two options: VRFY (which many
servers have disabled for just this reason); and starting a fake
message and checking for recipient errors.  Still, a lot of people
don't reject mail for bum users, choosing instead to accept the mail
and bounce it -- again, for precisely this reason.

Chris St. Pierre
Unix Systems Administrator
Nebraska Wesleyan University




RFC: learn_spam script

2007-03-29 Thread Bill McCormick

#!/bin/bash

#DEBUG=$1

if [ `ls -A /home/bill/Mail/Maildir/.Trash/cur | wc -l` -eq 0 ]
  then
echo -e ** no trash!! **\n
  else
echo -e ** dumping trash **\n
for myfile in /home/bill/Mail/Maildir/.Trash/cur/*
do
  grep -s -q X-Spam-Status: Yes $myfile
  if [ $? -eq 0 ]
  then
echo -e ** report spam **\n
razor-report -home=/home/vpopmail/.razor $myfile 21
pyzor --homedir /etc/mail/spamassassin report  $myfile 21
  fi
  rm $myfile
  sleep 10
done
fi

if [ `ls -A /home/bill/Mail/Maildir/.Junk/cur | wc -l` -eq 0 ]
  then
echo -e ** no spam to learn!! **\n
  else
echo -e **  learning spam ... **\n
/usr/local/bin/sa-learn --username=vpopmail --dbpath 
home/bill/Mail/.spamassassin 
--prefs-file=/home/bill/Mail/.spamassassin/user_prefs --spam 
/home/bill/Mail/Maildir/.Junk/cur 21

for myfile in /home/bill/Mail/Maildir/.Junk/cur/*
do
  grep -s -q autolearn=ham $myfile
  if [ $? -eq 0 ]
  then
echo -e ** un-learning ham for spam **\n
sa-learn --forget $myfile 21
  fi
  razor-report -home=/home/vpopmail/.razor $myfile 21
  pyzor --homedir /etc/mail/spamassassin report  $myfile 21
  sleep 10
  rm $myfile
done
fi

find /home/bill/Mail/Maildir -regex '.*/cur/.*$' -ctime -1 -exec grep -l 
autolearn=no {} \;|grep -v \.users\|\.sare-users\|\.Junk  /tmp/ham


if [ -f /tmp/ham ]
  then
echo -e ** learning ham **\n
/usr/local/bin/sa-learn --username=vpopmail --dbpath 
/home/bill/Mail/.spamassassin 
--prefs-file=/home/bill/Mail/.spamassassin/user_prefs --ham -f /tmp/ham 21

rm /tmp/ham
  else
echo -e ** hmm ... no ham file in tmp **\n
fi

chown vpopmail.vchkpw 
/home/vpopmail/domains/mccormick.ath.cx/bill/.spamassassin/bayes_toks


Re: Sender Address Verification is NOT abouse and very effective

2007-03-29 Thread John D. Hardin
On Thu, 29 Mar 2007, Marc Perkel wrote:

 The question was about a corpus of email. I assume that it means
 that the email is from multiple sources.

Correct. Assume for the sake of argument that the distribution of
domains being checked somewhat reflects the distribution of ISP sizes
- for example, there would be more aol.com and hotmail.com addresses
than most other domains.

Also, duplicates would be collapsed so caching isn't really
beneficial.

 So I doubt that someone running it would even be detectable buy
 anyone else.

Well, yes, but whether or not you get caught does not affect the
morality or courtesy of an act...

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  You are in a maze of twisty little protocols,
  all written by Microsoft.
--
 15 days until Thomas Jefferson's 264th Birthday



Re: Sender Address Verification is NOT abouse and very effective

2007-03-29 Thread John Rudd

Marc Perkel wrote:



John Rudd wrote:

John D. Hardin wrote:

On Thu, 29 Mar 2007, Marc Perkel wrote:


John D. Hardin wrote:

Can anyone recommend a non-abusive way to validate email addresses?
Yes - Sender Address Verification (SAV) works very well. It is not 
abusive. Especially the way Exim implements it.


I am not necessarily speaking of the context of a MTA.

Example pulled out of thin air: if you had a corpus and you wanted to 
check the addresses within it, what would be a polite way to do so? 
Just open an SMTP connection and see what the far end says to RCPT 
TO:, but put a tight rate limit on it?


If someone was doing that to my server, I would consider it an attack, 
and blacklist them.


There is no polite way to do it.  It's not polite to take advantage of 
someone else's resources without their permission.  That's exactly 
what SAV does.


SAV is the same thing as TDMA/Challege-Response, only the challenge is 
to the machine instead of the human.  Most of the same arguments apply.




The question was about a corpus of email. I assume that it means that 
the email is from multiple sources. So I doubt that someone running it 
would even be detectable buy anyone else.


You can't control how many other people are doing the same probe at the 
same time.  It might seem like batching from a corpus makes it better 
than doing live probes, but the fact is that you don't know, and can't 
know.  All you can control is am I going to probe for TMDA/SAV or not.


In a private message, John Hardin suggested that putting TDMA and SAV 
into the same lump isn't fair.  I wont duplicate his email here (since 
that would be rude), but I will put my response here:


Consider the most common anti-TDMA argument:

Situation: One real sender address is forged on a couple million spam 
messages.  A significant portion of the planet uses TDMA.


TDMA result: innocent forged sender's inbox gets targeted with 100's of 
thousands to millions of challenges.  Their mail server gets flooded, 
and their inbox get flooded.


SAV result: innocent forged sender's server gets targeted with 100's of 
thousands to millions of challenges.  Server gets flooded.


In both cases, you're using the resources of someone else, who has not 
consented to be part of your anti-spam solution, for making your 
anti-spam decisions.  That is absolutely rude, and possibly abusive and 
destructive, whether you're doing it live or in batches from a corpus.


The ONLY way in which SAV is better than TDMA is that it eliminates the 
innocent end user from the problem.  However, it still involves the 
innocent mail server (and the innocent sysadmin, etc.).



If you want to deal with eliminating forgeries, require DK/DKIM.  Any 
resources that impacts upon the forged sender (obtaining their public 
key) is at least consensual on their part (because they have offered 
their public key).


Detecting Vulnerable Link

2007-03-29 Thread Duane Hill


I'm trying to create a rule that will detect a vulnerable link within a 
message:


body BADD_LINK /(?:href|src).*\.(?:bat|chm|dll|exe|lnk|pif|scr)['\s]/i
describe BADD_LINK Contains a link to a vulnerable file
scoreBADD_LINK 0.1

Something isn't right because tests show nothing is being detected. It 
could be too, I'm not looking at something right.


Re: Sender Address Verification is NOT abouse and very effective

2007-03-29 Thread Marc Perkel



John D. Hardin wrote:

On Thu, 29 Mar 2007, Marc Perkel wrote:

  

The question was about a corpus of email. I assume that it means
that the email is from multiple sources.



Correct. Assume for the sake of argument that the distribution of
domains being checked somewhat reflects the distribution of ISP sizes
- for example, there would be more aol.com and hotmail.com addresses
than most other domains.

Also, duplicates would be collapsed so caching isn't really
beneficial.

  

So I doubt that someone running it would even be detectable buy
anyone else.



Well, yes, but whether or not you get caught does not affect the
morality or courtesy of an act...

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  You are in a maze of twisty little protocols,
  all written by Microsoft.
--
 15 days until Thomas Jefferson's 264th Birthday

  


I want people to use sender address verification against my servers for 
the domains I host because if someone is spoofing one of my domains I 
want it to fail. I welcome it. Because when domains do sender address 
verification then it makes spammers fail. And if spammers fail they will 
use someone else's domain - someone who refuses to use SAV. Is if theirs 
anything that causes collateral damage it's the face that my domains are 
less spammer friendly that yours are so they will spoof your domains 
rather than mine.




Re: Sender Address Verification is NOT abouse and very effective

2007-03-29 Thread Daryl C. W. O'Shea

Marc Perkel wrote:

I want people to use sender address verification against my servers for 
the domains I host because if someone is spoofing one of my domains I 
want it to fail. I welcome it. Because when domains do sender address 
verification then it makes spammers fail. And if spammers fail they will 
use someone else's domain - someone who refuses to use SAV. Is if theirs 
anything that causes collateral damage it's the face that my domains are 
less spammer friendly that yours are so they will spoof your domains 
rather than mine.


That's just silly, and as a provider of an anti-spam service you should 
know that.


SAV is a lousy anti-forgery mechanism, primarily because it isn't an 
anti-forgery mechanism.  At best it's a somebody might legitimately use 
this address but I have no idea if it's being forged in this instance 
mechanism.  SAV doesn't make spammers fail, it merely requires them to 
use a valid address, and guess what, they've got billions of valid 
addresses at their disposal.


If you're concerned about, and want to prevent, your domains being 
abused then sign your mail or use another mechanism that allows all 
involved parties to agree upon a mechanism that requires more than DNS 
queries against an unknown/unwilling party.


If you wish to continue using SAV, and going by past statements of it 
works for my customers so I'm going to continue to do it I assume you 
will continue, then *please* stop complaining here every time you get 
blacklisted.  If you must, though, perhaps SPAM-L would be a more 
appropriate venue.



Daryl


Re: Sender Address Verification is NOT abouse and very effective

2007-03-29 Thread Marc Perkel



Daryl C. W. O'Shea wrote:

Marc Perkel wrote:

I want people to use sender address verification against my servers 
for the domains I host because if someone is spoofing one of my 
domains I want it to fail. I welcome it. Because when domains do 
sender address verification then it makes spammers fail. And if 
spammers fail they will use someone else's domain - someone who 
refuses to use SAV. Is if theirs anything that causes collateral 
damage it's the face that my domains are less spammer friendly that 
yours are so they will spoof your domains rather than mine.


That's just silly, and as a provider of an anti-spam service you 
should know that.


SAV is a lousy anti-forgery mechanism, primarily because it isn't an 
anti-forgery mechanism.  At best it's a somebody might legitimately 
use this address but I have no idea if it's being forged in this 
instance mechanism.  SAV doesn't make spammers fail, it merely 
requires them to use a valid address, and guess what, they've got 
billions of valid addresses at their disposal.


If you're concerned about, and want to prevent, your domains being 
abused then sign your mail or use another mechanism that allows all 
involved parties to agree upon a mechanism that requires more than DNS 
queries against an unknown/unwilling party.


If you wish to continue using SAV, and going by past statements of it 
works for my customers so I'm going to continue to do it I assume you 
will continue, then *please* stop complaining here every time you get 
blacklisted.  If you must, though, perhaps SPAM-L would be a more 
appropriate venue.





I don't understand why you think SAV is a louse anti-forgery tool. It 
forces spammers to have to find real email addresses to forge. Domains 
that I host are rarely spoofed because when other hosts use SAV I 
welcome that and verify which email addresses are bad and the spam is 
rejected at connect time. When I use SAV I don't have to run those 
messages through spam assassin because I already know they are spam. So 
don't tell me that it doesn't work because I know for a fact that it does.


I WANT people to verify against my servers. I WELCOME it because 
spammers blacklist ME.


As to people blacklisting me - I am quite capable of effectively evening 
the score. Those who black list me are a buch of cowards who hide and 
create anonymous black lists to try to bully people into what they want 
us to do. But these people have left a trail that I'm reconstructing and 
I'm going to out them and it's going to be a very public outing. So I 
don't just complain when I get blacklisted. I fix the problem.




Re: SpamAssassin as a filter, without running a mail server?

2007-03-29 Thread Phil Barnett
On Thursday 29 March 2007 12:03, Chris Rouffer wrote:

 I've been given the job of adding an Internet Content filter, firewall, and
 spam filter to a small network in a non-profit organizaiton.  Right now
 there are about 5 email accounts, and their mail server is at their
 web-host.  Is it possible for me to run SpamAssassin as a filter on the
 firewall box, so that it simply filters email when the user retrieves it
 from the mail server:

I'd start with IPCop for the firewall.

http://www.ipcop.org

Then I'd add CopPlus (which is Dan's Guardian packaged for IPCop).

http://home.earthlink.net/~copplus/

Then I'd add CopFilter to finish it off.

http://www.copfilter.org

That would get you a nice appliance that has all the administration controls 
available via web pages.

An alternative to CopFilter would be to build a second box and build up a 
MailScanner box for the email. For a small place, that would probably be 
overkill. For a large outfit, I'd probably go that route and split mail 
scanning off from the firewall.

I have a recipe for a MailScanner box here:

http://www.leap-cf.org/presentations/MailScanner/

I believe that ClarkConnect can also do all the things you mention, but I 
think you have to purchase some of the modules.

-- 
Ballmer is basically saying: We know there's a problem but we're not going to 
tell you what it is because we want to ambush you in the future. 


Re: Sender Address Verification is NOT abouse and very effective

2007-03-29 Thread Rick Macdougall

Marc Perkel wrote:



I don't understand why you think SAV is a louse anti-forgery tool. It 
forces spammers to have to find real email addresses to forge. Domains 
that I host are rarely spoofed because when other hosts use SAV I 
welcome that and verify which email addresses are bad and the spam is 
rejected at connect time. When I use SAV I don't have to run those 
messages through spam assassin because I already know they are spam. 
So don't tell me that it doesn't work because I know for a fact that 
it does.


I WANT people to verify against my servers. I WELCOME it because 
spammers blacklist ME.


As to people blacklisting me - I am quite capable of effectively 
evening the score. Those who black list me are a buch of cowards who 
hide and create anonymous black lists to try to bully people into what 
they want us to do. But these people have left a trail that I'm 
reconstructing and I'm going to out them and it's going to be a very 
public outing. So I don't just complain when I get blacklisted. I fix 
the problem.


I maintain various mail servers for ISP's and private companies around 
the world.  Probably 2-3 million users in total.  If your server is 
using SAV against any of our servers in excess of  500 or so invalid 
recipients per day, you are most likely on our internal blacklist.


We don't know if you are using SAV, TMDA or are just a clueless admin 
who bounces after accepting.  Seeing as how we get over a million 
bounces after accepting from various clueless admins around the globe 
you might see how were adverse to any type of sender verification.


You might welcome it but we can't tell the difference.  If you're 
servers end up on blacklists because of it, don't complain. You made 
your own bed and now you have to lay in it.


Regards,

Rick






Re: Sender Address Verification is NOT abouse and very effective

2007-03-29 Thread Marc Perkel



Rick Macdougall wrote:

Marc Perkel wrote:



I don't understand why you think SAV is a louse anti-forgery tool. It 
forces spammers to have to find real email addresses to forge. 
Domains that I host are rarely spoofed because when other hosts use 
SAV I welcome that and verify which email addresses are bad and the 
spam is rejected at connect time. When I use SAV I don't have to run 
those messages through spam assassin because I already know they are 
spam. So don't tell me that it doesn't work because I know for a fact 
that it does.


I WANT people to verify against my servers. I WELCOME it because 
spammers blacklist ME.


As to people blacklisting me - I am quite capable of effectively 
evening the score. Those who black list me are a buch of cowards who 
hide and create anonymous black lists to try to bully people into 
what they want us to do. But these people have left a trail that I'm 
reconstructing and I'm going to out them and it's going to be a very 
public outing. So I don't just complain when I get blacklisted. I fix 
the problem.


I maintain various mail servers for ISP's and private companies around 
the world.  Probably 2-3 million users in total.  If your server is 
using SAV against any of our servers in excess of  500 or so invalid 
recipients per day, you are most likely on our internal blacklist.


We don't know if you are using SAV, TMDA or are just a clueless admin 
who bounces after accepting.  Seeing as how we get over a million 
bounces after accepting from various clueless admins around the globe 
you might see how were adverse to any type of sender verification.


You might welcome it but we can't tell the difference.  If you're 
servers end up on blacklists because of it, don't complain. You made 
your own bed and now you have to lay in it.


Regards,

Rick


I wouldn't be on your black list unless you manually added me to it.



Re: Sender Address Verification is NOT abouse and very effective

2007-03-29 Thread Marc Perkel



Rick Macdougall wrote:



Same difference to me, you get blocked.  My servers are busy enough as 
it is (just as an example, one incoming SMTP server out of 4 with one 
client has consistent 80 connections per second, an average 500 
connections active at any given tine, the majority, over 80%, bounces 
or SAV checks).  So guess what?  I'm going to block those servers 
until they smarten up.





The reason you get so many bounces is that your servers are SAV hostile. 
If someone spoofs your domain then you're going to get SAV connection if 
you allow it or bounce connections if you don't. And the number of 
bounces is going to be a lot higher than the SAV requests because 
spammers like domains where the recipient host gives no information 
about if the account is valid or not.





Re: Sender Address Verification is NOT abouse and very effective

2007-03-29 Thread Rick Macdougall

Marc Perkel wrote:



Rick Macdougall wrote:



Same difference to me, you get blocked.  My servers are busy enough 
as it is (just as an example, one incoming SMTP server out of 4 with 
one client has consistent 80 connections per second, an average 500 
connections active at any given tine, the majority, over 80%, bounces 
or SAV checks).  So guess what?  I'm going to block those servers 
until they smarten up.





The reason you get so many bounces is that your servers are SAV 
hostile. If someone spoofs your domain then you're going to get SAV 
connection if you allow it or bounce connections if you don't. And the 
number of bounces is going to be a lot higher than the SAV requests 
because spammers like domains where the recipient host gives no 
information about if the account is valid or not.



Uhhh, no.  We don't bounce.  Anyone who bounces is an asshat.  We reject 
551 at the smtp level for spam above a certain score and for user unknown. 

We aren't anti-SAV per say, we are anti-usernamechecking, we will return 
a User Unknown after 5 similar unsuccessful requests during the same 
smtp connection.


Think logically about it.

Regards,

Rick




Re: Sender Address Verification is NOT abouse and very effective

2007-03-29 Thread Daryl C. W. O'Shea

Rick Macdougall wrote:

Marc Perkel wrote:


The reason you get so many bounces is that your servers are SAV 
hostile. If someone spoofs your domain then you're going to get SAV 
connection if you allow it or bounce connections if you don't. And the 
number of bounces is going to be a lot higher than the SAV requests 
because spammers like domains where the recipient host gives no 
information about if the account is valid or not.




Uhhh, no.  We don't bounce.  Anyone who bounces is an asshat.


+1

If Marc is bouncing spams, even when domains who refuse to play the SAV 
game are involved, he's being even more abusive than I had thought.



Daryl


Re: Sender Address Verification is NOT abouse and very effective

2007-03-29 Thread John Rudd

Marc Perkel wrote:

Derek Harding wrote:

Marc Perkel wrote:
I don't understand why you think SAV is a louse anti-forgery tool. It 
forces spammers to have to find real email addresses to forge. 

So here's a little thought experiment for you.

As you know more and more spam is sent by botnets from compromised 
machines. Those bots know a range of valid addresses because they're 
pulling them out of addressbooks on the local machines (they're also 
sending to those same addresses btw).


So - let's say you don't use SAV. You accept the message not knowing 
that it's from a fake address. Then you have to spam filter it.  If if 
fails, it creates a bounce.


No.  You do your spam filtering during the SMTP session, using a milter 
or something similar.  If it scores as spam, then you reject it during SMTP.


So, no, it doesn't create a bounce.  Only an idiot would bounce a 
message for being spam.




Re: Sender Address Verification is NOT abouse and very effective

2007-03-29 Thread Rick Macdougall

John Rudd wrote:

Marc Perkel wrote:

Derek Harding wrote:

Marc Perkel wrote:
I don't understand why you think SAV is a louse anti-forgery tool. 
It forces spammers to have to find real email addresses to forge. 

So here's a little thought experiment for you.

As you know more and more spam is sent by botnets from compromised 
machines. Those bots know a range of valid addresses because they're 
pulling them out of addressbooks on the local machines (they're also 
sending to those same addresses btw).


So - let's say you don't use SAV. You accept the message not knowing 
that it's from a fake address. Then you have to spam filter it.  If 
if fails, it creates a bounce.


No.  You do your spam filtering during the SMTP session, using a 
milter or something similar.  If it scores as spam, then you reject it 
during SMTP.


So, no, it doesn't create a bounce.  Only an idiot would bounce a 
message for being spam.




Or if you are using something that doesn't easily support prefiltering 
then you can deliver with spam markup.


Do not ever bounce!  Ever!  I can not stress this enough.

blah.

Night folks!

Rick



Re: Sender Address Verification is NOT abouse and very effective

2007-03-29 Thread Daryl C. W. O'Shea

Marc Perkel wrote:



Daryl C. W. O'Shea wrote:


SAV is a lousy anti-forgery mechanism, primarily because it isn't an 
anti-forgery mechanism.  At best it's a somebody might legitimately 
use this address but I have no idea if it's being forged in this 
instance mechanism.  SAV doesn't make spammers fail, it merely 
requires them to use a valid address, and guess what, they've got 
billions of valid addresses at their disposal.



I don't understand why you think SAV is a louse anti-forgery tool.


I guess you missed the second half of that sentence then.  SAV cannot 
tell you that an address was not forged.  At best it can tell you that 
the address doesn't exist and it probably was sent by a third party.  If 
you want to call this a forgery (how you forge something that doesn't 
exist to begin with, I'm not sure) go for it.




It forces spammers to have to find real email addresses to forge.


Forcing spammers to forge an address is considered anti-forgery?  Now 
I'm confused.



Domains 
that I host are rarely spoofed because when other hosts use SAV I 
welcome that and verify which email addresses are bad and the spam is 
rejected at connect time. When I use SAV I don't have to run those 
messages through spam assassin because I already know they are spam. So 
don't tell me that it doesn't work because I know for a fact that it does.


OK, I won't tell you it doesn't work, and I didn't before either.  I'm 
simple suggesting that it's abusive and selfish.



I WANT people to verify against my servers. I WELCOME it because 
spammers blacklist ME.


As to people blacklisting me - I am quite capable of effectively evening 
the score. Those who black list me are a buch of cowards who hide and 
create anonymous black lists to try to bully people into what they want 
us to do. But these people have left a trail that I'm reconstructing and 
I'm going to out them and it's going to be a very public outing. So I 
don't just complain when I get blacklisted. I fix the problem.


If you want to waste your time on that go for it.  I'd be really 
surprised if you aren't currently, or have in the past, you yourself 
used blacklists operated by anonymous cowards though.



Daryl