Re: Wild behavior by SA-3.2.0
spamd: result: Y 5 - DKIM_SIGNED,DKIM_VERIFIED,DK_SIGNED,DK_VERIFIED,HTML_IMAGE_ONLY_32, HTML_MESSAGE,INVALID_DATE,MIME_HTML_ONLY,MIME_QP_LONG_LINE,MISSING_MIMEOLE,SPF_PASS My guess, and only a guess, is that the mail message might somehow have been corrupted on the first try, and "fixed" by the exchange server. If I had to guess, I'd say the header was truncated or corrupted. Are you using some sort of milter to interface SA? Possibly you are having some sort of line ending problems with \r\n vs \n resulting in blank lines occasionally being inserted in the headers that SA is seeing. Since the mail ends in Exchange, it quite possibly treats \r\n and \n as equivalent in mail, but SA won't necessarily and mixed endings could cause problems. Loren
Re: Wild behavior by SA-3.2.0
Jason Haar wrote: > > spamd: result: . 1 - > DKIM_POLICY_SIGNSOME,HTML_IMAGE_ONLY_32,HTML_MESSAGE,SPF_PASS > > I can at least answer the DomainKey differences now. Exchange likes removing headers it thinks aren't necessary - so although Dell is signing their emails, the headers don't show up in the emails housed within Exchange. Go Microsoft! Ra, ra, r... Jason -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Wild behavior by SA-3.2.0
We are seeing SA-3.2.0 acting strangely/inconsistently on our FC3 servers Ever since upgrading from 3.1.8 to 3.2.0, we have started tagging HAM that we never had problems with before. e.g. we just had it tag email from Dell as spam with scores >5 as follows: spamd: result: Y 5 - DKIM_SIGNED,DKIM_VERIFIED,DK_SIGNED,DK_VERIFIED,HTML_IMAGE_ONLY_32, HTML_MESSAGE,INVALID_DATE,MIME_HTML_ONLY,MIME_QP_LONG_LINE,MISSING_MIMEOLE,SPF_PASS The weird thing was that when we noticed (less than 1/2 hour later) and ran the same message through the same spamd on the same box - it scored 1.3/5! spamd: result: . 1 - DKIM_POLICY_SIGNSOME,HTML_IMAGE_ONLY_32,HTML_MESSAGE,SPF_PASS Unfortunately the mail terminates on Exchange - so the second run is over the message as pulled out of Exchange via IMAP - so it could have been "cleaned up". The version we pulled was in multipart/alternative - but perhaps the first run was in text/html only - I can't tell. The weird thing is that there are tonnes more DKIM rules in the first run than the second (that shouldn't have changed in 1/2 an hour), and the message was classified as HTML_IMAGE_ONLY - whereas it actually had a remote image link (their logo) - it wasn't in the message itself. Also the INVALID_DATE doesn't seem correct either - according to the Received and Date headers, they all looks within seconds of each other (inc. timezones). I'm stumped. It makes no sense whatsoever. Any suggestions welcome. -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: razor and pyzor
Pyzor is not actively maintained. It has not been for a while. All new pyzor installations use the main pyzor server. That server is overloaded and queries will often timeout (5 seconds wasted). Some generous person (Milton?) created a mirror a while ago and it responds much quicker. The mailing list archives tell the tale: https://sourceforge.net/mailarchive/forum.php?forum_name=pyzor-users Milton Cyrus is the man. Thanks Milton. Gary V _ Like the way Microsoft Office Outlook works? Youll love Windows Live Hotmail. http://imagine-windowslive.com/hotmail/?locale=en-us&ocid=TXT_TAGHM_migration_HM_mini_outlook_0507
Re: razor and pyzor
On Sunday 13 May 2007 12:28, Gary V wrote: Thanks for the excellent notes! > The run 'pyzor discover'. This creates > /root/.pyzor/servers which is a file that contains the IP address and port > to the main pyzor server. Don't use that server. Edit and change to > 82.94.255.100:24441 Why? -- Phil Barnett Pyzor is not actively maintained. It has not been for a while. All new pyzor installations use the main pyzor server. That server is overloaded and queries will often timeout (5 seconds wasted). Some generous person (Milton?) created a mirror a while ago and it responds much quicker. The mailing list archives tell the tale: https://sourceforge.net/mailarchive/forum.php?forum_name=pyzor-users Gary V _ Like the way Microsoft Office Outlook works? Youll love Windows Live Hotmail. http://imagine-windowslive.com/hotmail/?locale=en-us&ocid=TXT_TAGHM_migration_HM_mini_outlook_0507
Re: razor and pyzor
The run 'pyzor discover'. This creates /root/.pyzor/servers which is a file that contains the IP address and port to the main pyzor server. Don't use that server. Edit and change to 82.94.255.100:24441 Why? I believe I've read that the main Pyzor servers are noted for returning timeouts rather than useful informaiton. Loren
Re: razor and pyzor
On Sunday 13 May 2007 12:28, Gary V wrote: Thanks for the excellent notes! > The run 'pyzor discover'. This creates > /root/.pyzor/servers which is a file that contains the IP address and port > to the main pyzor server. Don't use that server. Edit and change to > 82.94.255.100:24441 Why? -- Phil Barnett AI4OF SKCC #600
Re: Inappropriate use of E-Mail addresses
On Sunday 13 May 2007, jdow wrote:
>I can't. But I can offer sympathy. Welcome to the world of the "Joe Job."
>It is the chief reason that I have pledged to NEVER EVER find in favor of
>a spammer if I find myself on a jury with him as the plaintiff or defendant.
>
>Besides, I'd probably jump over the jury box railing and gouge his eyes out
>before the trial was over.
>
>{^_^}Joanne
Chuckle, I can see the headlines now Joanne, with film at 6.
Seriously, the only way I wouldn't use something that didn't require that sort
of close personal contact is because they a) won't call me cause I'm too old,
and b) cause they'd never let me carry it into the courtroom. Sometimes
modern society gets in the way of what really should be "darwinian"
results. :(
>- Original Message -
>From: "Gregory P. Ennis" <[EMAIL PROTECTED]>
>
>> Everyone,
>>
>> I have used spamassassin on our mail servers now for over 4 years and
>> have nothing but high praise for what it has done for us. However,
>> recently we have been hit by bounced e-mail that is related to the
>> inappropriate use of some of our e-mail addresses.
>>
>> It appears that some spam artists with ip addresses that apparently
>> originate in Germany use a bogus names identified with one of our e-mail
>> addresses to send solicitations for pharmaceuticals to various e-mail
>> addresses. Some of these end up being undeliverable and then bounce
>> back to us.
>>
>> Can anyone direct me to software or an agency that help me fight the
>> inappropriate use of our e-mail addresses in their spam.
>>
>> Greg Ennis
--
Cheers, Gene
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
What is comedy? Comedy is the art of making people laugh without making
them puke.
-- Steve Martin
Re: R: R: Inappropriate use of E-Mail addresses
> Bart, you're right here, but if I was a spammer, I would avoid using > SPF/SenderID-protected e-mail addresses in my From: headers, since it would > reduce the choices of my message reaching dest. I can say that since we started using SPF at $DAYJOB and finally killed the fershlugginer catchall account (took me 6 years and a new boss to finally put a bullet in it) we've seen MANY fewer joejobs. Don't know whether there's causation or just correlation, but either way it makes me a happy man. -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com "We owed them our loyalty, as Americans, and we gave it. But they owed us sound judgment, clear thinking, concern for our welfare, a guarantee that the threat to our country was equal to the price we might be called upon to pay in defending it." Sen. Jim Webb (D-VA)
R: R: Inappropriate use of E-Mail addresses
> -Messaggio originale- > Da: Bart Schaefer [mailto:[EMAIL PROTECTED] > > On 5/13/07, Gregory P. Ennis <[EMAIL PROTECTED]> wrote: > > SPF seems very interesting. Does spamAssassin automatically use an > SPF > > record if it exists? > > There's a plugin. > > > Do I set up an SPF record with whoever manages my MX DNS record? > > Yes. It's a TXT record. Some DNS hosting companies will set it up > for you, some will give you the ability to create a TXT record through > their management intraface (but you have to figure out what to put in > the record yourself), and some don't support TXT records at all. > > Note that SPF is not a magic bullet. It's not yet that widely > adopted, and any MTA that's doing accept-and-bounce for unknown > addresses is probably not checking SPF either. Bart, you're right here, but if I was a spammer, I would avoid using SPF/SenderID-protected e-mail addresses in my From: headers, since it would reduce the choices of my message reaching dest. Don't you agree? Giampaolo > You probably also want to look at SenderID. Wikipedia has a reasonable > summary.
Re: Massive Spam Attack?
Thanks for the heads up on this... This has given me a few ideas on some custom blocking software... If it works out, ill be sure to release it... On 5/13/07, Faisal N Jawdat <[EMAIL PROTECTED]> wrote: Given the level of the traffic, you might look at implementing something like Deny Spammers at he /24 level (rather than the host level). https://sourceforge.net/projects/deny-spammers/ -faisal On May 13, 2007, at 12:15 AM, Jason Frisvold wrote: > On 5/12/07, Jason Frisvold <[EMAIL PROTECTED]> wrote: >> I installed the botnet plugin today, but it's not going to help >> anyway.. The IPs these are coming from resolve to a variety of >> different hostnames, all without triggering botnet at all. > > Here's a sample of the hits I'm getting ... As you can see, its a > bunch of different IPs in various ranges.. I've decided to just block > the ranges at this point.. I have no idea if there's anything legit > in there, but I'll take that risk... > > baseball142.pamwheeled.com (66.96.245.142) > baseball15.hammersmoky.com (66.96.245.15) > baseball167.pamwheeled.com (66.96.245.167) > baseball168.pamwheeled.com (66.96.245.168) > baseball184.itlivestock.com (66.96.245.184) > baseball20.hammersmoky.com (66.96.245.20) > baseball210.itlivestock.com (66.96.245.210) > baseball237.burmesetow.com (66.96.245.237) > baseball247.burmesetow.com (66.96.245.247) > baseball31.hammersmoky.com (66.96.245.31) > baseball6.hammersmoky.com (66.96.245.6) > baseball75.platenormal.com (66.96.245.75) > crowflies110.yentropical.com (65.111.26.110) > crowflies131.yentropical.com (65.111.26.131) > crowflies15.mowcraving.com (65.111.26.15) > crowflies168.ropepin.com (65.111.26.168) > crowflies176.ropepin.com (65.111.26.176) > crowflies186.ropepin.com (65.111.26.186) > crowflies19.mowcraving.com (65.111.26.19) > crowflies33.mowcraving.com (65.111.26.33) > crowflies42.mowcraving.com (65.111.26.42) > crowflies57.beforefor.com (65.111.26.57) > crowflies63.beforefor.com (65.111.26.63) > lampshade144.acidicbee.com (66.240.249.144) > lampshade153.acidicbee.com (66.240.249.153) > lampshade161.acidicbee.com (66.240.249.161) > lampshade183.acidicbee.com (66.240.249.183) > lampshade183.acidicbee.com (66.240.249.183) > lampshade213.acidicbee.com (66.240.249.213) > lampshade231.acidicbee.com (66.240.249.231) > lampshade231.acidicbee.com (66.240.249.231) > lampshade239.acidicbee.com (66.240.249.239) > later112.itbobble.com (216.74.88.112) > later13.divesthow.com (216.74.88.13) > later15.divesthow.com (216.74.88.15) > later189.tarponway.com (216.74.88.189) > later20.divesthow.com (216.74.88.20) > later216.usefulget.com (216.74.88.216) > later217.usefulget.com (216.74.88.217) > later225.usefulget.com (216.74.88.225) > later250.usefulget.com (216.74.88.250) > later69.itbobble.com (216.74.88.69) > mail136.yenram.com (64.191.11.136) > mail237.todinto.com (64.191.11.237) > mail239.todinto.com (64.191.11.239) > mail250.todinto.com (64.191.11.250) > mail91.rangeat.com (64.191.11.91) > movie113.fencingnow.com (216.10.25.113) > movie119.fencingnow.com (216.10.25.119) > movie120.fencingnow.com (216.10.25.120) > movie126.fencingnow.com (216.10.25.126) > movie166.measleit.com (216.10.25.166) > movie184.measleit.com (216.10.25.184) > movie207.fosteris.com (216.10.25.207) > movie78.fencingnow.com (216.10.25.78) > mustang214.pugto.com (72.37.196.214) > mustang242.pugto.com (72.37.196.242) > omega172.dressyoung.com (66.197.254.172) > omega199.dressyoung.com (66.197.254.199) > omega225.dressyoung.com (66.197.254.225) > omega237.dressyoung.com (66.197.254.237) > omega86.byknife.com (66.197.254.86) > pick17.heatscanna.com (64.192.26.17) > pick182.runninghit.com (64.192.26.182) > rainy206.grimacehot.com (66.96.252.206) > rush100.standbot.com (66.96.255.100) > rush101.standbot.com (66.96.255.101) > rush103.standbot.com (66.96.255.103) > rush131.ifweight.com (66.96.255.131) > rush188.whobeak.com (66.96.255.188) > rush206.whobeak.com (66.96.255.206) > rush208.whenpile.com (66.96.255.208) > rush226.whenpile.com (66.96.255.226) > rush232.whenpile.com (66.96.255.232) > rush236.whenpile.com (66.96.255.236) > rush251.whenpile.com (66.96.255.251) > source238.wearisen.com (216.74.120.238) > source244.wearisen.com (216.74.120.244) > teaching200.wordssort.com (64.192.28.200) > teaching33.camelcoat.com (64.192.28.33) > > -- > Jason 'XenoPhage' Frisvold > [EMAIL PROTECTED] > http://blog.godshell.com -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] http://blog.godshell.com
Re: Massive Spam Attack?
Thanks for the heads up on this... This has given me a few ideas on some custom blocking software... If it works out, ill be sure to release it... On 5/13/07, Faisal N Jawdat <[EMAIL PROTECTED]> wrote: Given the level of the traffic, you might look at implementing something like Deny Spammers at he /24 level (rather than the host level). https://sourceforge.net/projects/deny-spammers/ -faisal On May 13, 2007, at 12:15 AM, Jason Frisvold wrote: > On 5/12/07, Jason Frisvold <[EMAIL PROTECTED]> wrote: >> I installed the botnet plugin today, but it's not going to help >> anyway.. The IPs these are coming from resolve to a variety of >> different hostnames, all without triggering botnet at all. > > Here's a sample of the hits I'm getting ... As you can see, its a > bunch of different IPs in various ranges.. I've decided to just block > the ranges at this point.. I have no idea if there's anything legit > in there, but I'll take that risk... > > baseball142.pamwheeled.com (66.96.245.142) > baseball15.hammersmoky.com (66.96.245.15) > baseball167.pamwheeled.com (66.96.245.167) > baseball168.pamwheeled.com (66.96.245.168) > baseball184.itlivestock.com (66.96.245.184) > baseball20.hammersmoky.com (66.96.245.20) > baseball210.itlivestock.com (66.96.245.210) > baseball237.burmesetow.com (66.96.245.237) > baseball247.burmesetow.com (66.96.245.247) > baseball31.hammersmoky.com (66.96.245.31) > baseball6.hammersmoky.com (66.96.245.6) > baseball75.platenormal.com (66.96.245.75) > crowflies110.yentropical.com (65.111.26.110) > crowflies131.yentropical.com (65.111.26.131) > crowflies15.mowcraving.com (65.111.26.15) > crowflies168.ropepin.com (65.111.26.168) > crowflies176.ropepin.com (65.111.26.176) > crowflies186.ropepin.com (65.111.26.186) > crowflies19.mowcraving.com (65.111.26.19) > crowflies33.mowcraving.com (65.111.26.33) > crowflies42.mowcraving.com (65.111.26.42) > crowflies57.beforefor.com (65.111.26.57) > crowflies63.beforefor.com (65.111.26.63) > lampshade144.acidicbee.com (66.240.249.144) > lampshade153.acidicbee.com (66.240.249.153) > lampshade161.acidicbee.com (66.240.249.161) > lampshade183.acidicbee.com (66.240.249.183) > lampshade183.acidicbee.com (66.240.249.183) > lampshade213.acidicbee.com (66.240.249.213) > lampshade231.acidicbee.com (66.240.249.231) > lampshade231.acidicbee.com (66.240.249.231) > lampshade239.acidicbee.com (66.240.249.239) > later112.itbobble.com (216.74.88.112) > later13.divesthow.com (216.74.88.13) > later15.divesthow.com (216.74.88.15) > later189.tarponway.com (216.74.88.189) > later20.divesthow.com (216.74.88.20) > later216.usefulget.com (216.74.88.216) > later217.usefulget.com (216.74.88.217) > later225.usefulget.com (216.74.88.225) > later250.usefulget.com (216.74.88.250) > later69.itbobble.com (216.74.88.69) > mail136.yenram.com (64.191.11.136) > mail237.todinto.com (64.191.11.237) > mail239.todinto.com (64.191.11.239) > mail250.todinto.com (64.191.11.250) > mail91.rangeat.com (64.191.11.91) > movie113.fencingnow.com (216.10.25.113) > movie119.fencingnow.com (216.10.25.119) > movie120.fencingnow.com (216.10.25.120) > movie126.fencingnow.com (216.10.25.126) > movie166.measleit.com (216.10.25.166) > movie184.measleit.com (216.10.25.184) > movie207.fosteris.com (216.10.25.207) > movie78.fencingnow.com (216.10.25.78) > mustang214.pugto.com (72.37.196.214) > mustang242.pugto.com (72.37.196.242) > omega172.dressyoung.com (66.197.254.172) > omega199.dressyoung.com (66.197.254.199) > omega225.dressyoung.com (66.197.254.225) > omega237.dressyoung.com (66.197.254.237) > omega86.byknife.com (66.197.254.86) > pick17.heatscanna.com (64.192.26.17) > pick182.runninghit.com (64.192.26.182) > rainy206.grimacehot.com (66.96.252.206) > rush100.standbot.com (66.96.255.100) > rush101.standbot.com (66.96.255.101) > rush103.standbot.com (66.96.255.103) > rush131.ifweight.com (66.96.255.131) > rush188.whobeak.com (66.96.255.188) > rush206.whobeak.com (66.96.255.206) > rush208.whenpile.com (66.96.255.208) > rush226.whenpile.com (66.96.255.226) > rush232.whenpile.com (66.96.255.232) > rush236.whenpile.com (66.96.255.236) > rush251.whenpile.com (66.96.255.251) > source238.wearisen.com (216.74.120.238) > source244.wearisen.com (216.74.120.244) > teaching200.wordssort.com (64.192.28.200) > teaching33.camelcoat.com (64.192.28.33) > > -- > Jason 'XenoPhage' Frisvold > [EMAIL PROTECTED] > http://blog.godshell.com -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] http://blog.godshell.com
Re: R: Inappropriate use of E-Mail addresses
On 5/13/07, Gregory P. Ennis <[EMAIL PROTECTED]> wrote: SPF seems very interesting. Does spamAssassin automatically use an SPF record if it exists? There's a plugin. Do I set up an SPF record with whoever manages my MX DNS record? Yes. It's a TXT record. Some DNS hosting companies will set it up for you, some will give you the ability to create a TXT record through their management intraface (but you have to figure out what to put in the record yourself), and some don't support TXT records at all. Note that SPF is not a magic bullet. It's not yet that widely adopted, and any MTA that's doing accept-and-bounce for unknown addresses is probably not checking SPF either. You probably also want to look at SenderID. Wikipedia has a reasonable summary.
RE: razor and pyzor
PS wget http://spamassassin.apache.org/full/3.0.x/dist/sample-spam.txt razor-check -d sample-spam.txt | more The razor servers run on tcp port 2703. _ PC Magazines 2007 editors choice for best Web mailaward-winning Windows Live Hotmail. http://imagine-windowslive.com/hotmail/?locale=en-us&ocid=TXT_TAGHM_migration_HM_mini_pcmag_0507
RE: razor and pyzor
Greetings I am not new to SA However, I am new to razor and pyzor... I must admit to only cursory viewing of any of those type of posts for the past year or more... Are those of you running medium to high volume mail servers happy with razor and pyzor for just the scoring they provide? Should I be adjusting timeouts or anything or are the defaults pretty good. Searching and reading, I really havent found a lot of fine tuning info on them other than the basics and docs at Vipul's site so are they are plug and play as the install was? Thanks - rh -- Abba Communications Spokane, WA www.abbacomm.net These are my observations. Others may differ. Each of these have files that are used by the user running spamassassin/spamc/whatever located in their home directory (e.g. /home/user/.pyzor /home/user/.razor). At least to work porperly that is the way it should be set up. So, if you run spamassassin as one user (a site wide setup) then you only have to set up one user. If not, then ideally everyone that uses SA would be set up. Let's say you are logged in as root. Install pyzor via your package manager (recommended because otherwise you may have to search around for patches and make some permission changes). The run 'pyzor discover'. This creates /root/.pyzor/servers which is a file that contains the IP address and port to the main pyzor server. Don't use that server. Edit and change to 82.94.255.100:24441 Run 'pyzor ping' to see if you get a response. If you don't you may be blocking outbound udp/tcp on port 24441 or inbound udp from 82.94.255.100 (ports 1024 - 65535). If it works, you can do the same for other users as needed. su user1 -c 'pyzor discover; echo "82.94.255.100:24441" > /home/user1/.pyzor/servers; pyzor ping' Razor. Set up root first. razor-admin -create razor-admin -create (yes - run it twice) I also suggest creating an identity. razor-admin -register (you may have to run this twice) I suggest disabling logging (or logs will eventually fill your hard drive) edit /root/.razor/razor-agent.conf If you don't have that file, your system may have created a site wide configuration file (which may be a good idea). It is probably /etc/razor/razor-agent.conf Edit the file and change: debuglevel = 3 to debuglevel = 0 If you don't have /etc/razor/razor-agent.conf but would like to use it site-wide: mkdir /etc/razor mv /root/.razor/razor-agent.conf /etc/razor If /etc/razor/razor-agent.conf exists, when you run 'razor-admin -create' razor-agent.conf will not be created in the .razor directory of the user running the command. If it does not exists then razor-agent.conf will be created (and then may need to be edited). If you want to use one identity for the entire system, copy the contents of /root/.razor to each user that will run SA and then give them ownership. cp -r /root/.razor /home/user1/ chown -R user1:user1 /home/user1/.razor If you plan on reporting (spamassassin -r) and want each user to have their own identity, then you should run 'razor-admin create' (twice) and 'razor-admin -register' (may need to run it twice) as the user in question. su user1 -c 'razor-admin -create; razor-admin -create; razor-admin -register' Remember, if you do not have /etc/razor/razor-agent.conf then you may need to edit razor-agent.conf for each user. Also, I suggest a crontab entry for each user that runs 'razor-admin -discover' about once a week or so. sfa:~# ls -l /root/.razor total 6 lrwxrwxrwx 1 root root 19 2007-05-13 10:01 identity -> identity-rusG9yXAjJ -rw--- 1 root root 90 2007-05-13 10:01 identity-rusG9yXAjJ -rw-r--r-- 1 root root 604 2007-05-13 10:01 razor-agent.log -rw-r--r-- 1 root root 714 2007-05-13 09:59 server.folly.cloudmark.com.conf -rw-r--r-- 1 root root 38 2007-05-13 09:59 servers.catalogue.lst -rw-r--r-- 1 root root 22 2007-05-13 09:59 servers.discovery.lst -rw-r--r-- 1 root root 38 2007-05-13 09:59 servers.nomination.lst sfa:~# cat /etc/razor/razor-agent.conf # # Razor2 config file # # Autogenerated by Razor-Agents v2.81 # Sun May 13 09:59:24 2007 # Non-default values taken from /etc/razor/razor-agent.conf # # see razor-agent.conf(5) man page # debuglevel = 0 identity = identity ignorelist = 0 listfile_catalogue = servers.catalogue.lst listfile_discovery = servers.discovery.lst listfile_nomination= servers.nomination.lst logfile= razor-agent.log logic_method = 4 min_cf = ac razordiscovery = discovery.spamnet.com rediscovery_wait = 172800 report_headers = 1 turn_off_discovery = 0 use_engines= 4,8 whitelist = razor-whitelist If you don't create .razor files for each user that runs SA then it will try to -discover its servers every time it runs. This is time consuming for you, and increases load on the razor servers too. Gary V
Re: Massive Spam Attack?
Given the level of the traffic, you might look at implementing something like Deny Spammers at he /24 level (rather than the host level). https://sourceforge.net/projects/deny-spammers/ -faisal On May 13, 2007, at 12:15 AM, Jason Frisvold wrote: On 5/12/07, Jason Frisvold <[EMAIL PROTECTED]> wrote: I installed the botnet plugin today, but it's not going to help anyway.. The IPs these are coming from resolve to a variety of different hostnames, all without triggering botnet at all. Here's a sample of the hits I'm getting ... As you can see, its a bunch of different IPs in various ranges.. I've decided to just block the ranges at this point.. I have no idea if there's anything legit in there, but I'll take that risk... baseball142.pamwheeled.com (66.96.245.142) baseball15.hammersmoky.com (66.96.245.15) baseball167.pamwheeled.com (66.96.245.167) baseball168.pamwheeled.com (66.96.245.168) baseball184.itlivestock.com (66.96.245.184) baseball20.hammersmoky.com (66.96.245.20) baseball210.itlivestock.com (66.96.245.210) baseball237.burmesetow.com (66.96.245.237) baseball247.burmesetow.com (66.96.245.247) baseball31.hammersmoky.com (66.96.245.31) baseball6.hammersmoky.com (66.96.245.6) baseball75.platenormal.com (66.96.245.75) crowflies110.yentropical.com (65.111.26.110) crowflies131.yentropical.com (65.111.26.131) crowflies15.mowcraving.com (65.111.26.15) crowflies168.ropepin.com (65.111.26.168) crowflies176.ropepin.com (65.111.26.176) crowflies186.ropepin.com (65.111.26.186) crowflies19.mowcraving.com (65.111.26.19) crowflies33.mowcraving.com (65.111.26.33) crowflies42.mowcraving.com (65.111.26.42) crowflies57.beforefor.com (65.111.26.57) crowflies63.beforefor.com (65.111.26.63) lampshade144.acidicbee.com (66.240.249.144) lampshade153.acidicbee.com (66.240.249.153) lampshade161.acidicbee.com (66.240.249.161) lampshade183.acidicbee.com (66.240.249.183) lampshade183.acidicbee.com (66.240.249.183) lampshade213.acidicbee.com (66.240.249.213) lampshade231.acidicbee.com (66.240.249.231) lampshade231.acidicbee.com (66.240.249.231) lampshade239.acidicbee.com (66.240.249.239) later112.itbobble.com (216.74.88.112) later13.divesthow.com (216.74.88.13) later15.divesthow.com (216.74.88.15) later189.tarponway.com (216.74.88.189) later20.divesthow.com (216.74.88.20) later216.usefulget.com (216.74.88.216) later217.usefulget.com (216.74.88.217) later225.usefulget.com (216.74.88.225) later250.usefulget.com (216.74.88.250) later69.itbobble.com (216.74.88.69) mail136.yenram.com (64.191.11.136) mail237.todinto.com (64.191.11.237) mail239.todinto.com (64.191.11.239) mail250.todinto.com (64.191.11.250) mail91.rangeat.com (64.191.11.91) movie113.fencingnow.com (216.10.25.113) movie119.fencingnow.com (216.10.25.119) movie120.fencingnow.com (216.10.25.120) movie126.fencingnow.com (216.10.25.126) movie166.measleit.com (216.10.25.166) movie184.measleit.com (216.10.25.184) movie207.fosteris.com (216.10.25.207) movie78.fencingnow.com (216.10.25.78) mustang214.pugto.com (72.37.196.214) mustang242.pugto.com (72.37.196.242) omega172.dressyoung.com (66.197.254.172) omega199.dressyoung.com (66.197.254.199) omega225.dressyoung.com (66.197.254.225) omega237.dressyoung.com (66.197.254.237) omega86.byknife.com (66.197.254.86) pick17.heatscanna.com (64.192.26.17) pick182.runninghit.com (64.192.26.182) rainy206.grimacehot.com (66.96.252.206) rush100.standbot.com (66.96.255.100) rush101.standbot.com (66.96.255.101) rush103.standbot.com (66.96.255.103) rush131.ifweight.com (66.96.255.131) rush188.whobeak.com (66.96.255.188) rush206.whobeak.com (66.96.255.206) rush208.whenpile.com (66.96.255.208) rush226.whenpile.com (66.96.255.226) rush232.whenpile.com (66.96.255.232) rush236.whenpile.com (66.96.255.236) rush251.whenpile.com (66.96.255.251) source238.wearisen.com (216.74.120.238) source244.wearisen.com (216.74.120.244) teaching200.wordssort.com (64.192.28.200) teaching33.camelcoat.com (64.192.28.33) -- Jason 'XenoPhage' Frisvold [EMAIL PROTECTED] http://blog.godshell.com
Re: R: Inappropriate use of E-Mail addresses
On Sun, 2007-05-13 at 16:19 +0200, Giampaolo Tomassoni wrote: > > -Messaggio originale- > > Da: Gregory P. Ennis [mailto:[EMAIL PROTECTED] > > > > On Sun, 2007-05-13 at 15:16 +0200, Giampaolo Tomassoni wrote: > > > > -Messaggio originale- > > > > Da: Gregory P. Ennis [mailto:[EMAIL PROTECTED] > > > > > > > > Everyone, > > > > > > > > I have used spamassassin on our mail servers now for over 4 years > > and > > > > have nothing but high praise for what it has done for us. However, > > > > recently we have been hit by bounced e-mail that is related to the > > > > inappropriate use of some of our e-mail addresses. > > > > > > > > It appears that some spam artists with ip addresses that apparently > > > > originate in Germany use a bogus names identified with one of our > > e- > > > > mail > > > > addresses to send solicitations for pharmaceuticals to various e- > > mail > > > > addresses. Some of these end up being undeliverable and then > > bounce > > > > back to us. > > > > > > > > Can anyone direct me to software or an agency that help me fight > > the > > > > inappropriate use of our e-mail addresses in their spam. > > > > > > What about SPF or DKIM? They are fully supported by SA, too. > > > > > > Also, report the bounces as spam: MTA's should avoid to produce > > bounce > > > messages when a destinating mailbox doesn't exist. They should give a > > 550 > > > error code, instead. > > > > > > Giampaolo > > > > > > > > Thanks for your suggestions. I upgraded to 3.20 yesterday via cpan, > > but > > when I tried to run DKIM I received some configuration errors. I have > > not debugged it yet but believe it was related to configuration > > differences between a cpan installation and what was normally on Fedora > > Core 4. I am planning on upgrading the os to CentOS 5.0 which already > > has spamassassin 3.2 packaged. > > > > I am not familiar with SPF? > > To you, it is not that important to configure SPF in SA, but instead to > configure your DNZ zone such that OTHER MTAs may detect the spam source as > not really being from you. > > By implementing SPF, some MTAs and most SA installations will refuse/mark as > spam the spam faking you mail addresses, thereby spammers will be pushed to > not use any e-mail from your domain in their faked From:. > > Have a look at http://www.openspf.org/Specifications in order to learn how > to setup you DNS zone for SPF. > > Giampaolo > > > SPF seems very interesting. Does spamAssassin automatically use an SPF record if it exists? Do I set up an SPF record with whoever manages my MX DNS record? I will need to study the SPF material in depth... sorry if my questions are beginner!!! Thanks for your help Greg
clean copy of 20_vbounce.cf
We cannot seem to get a clean updated copy of 20_vbounce.cf for some reason. Dunce hat accepted. Is there anyway that the Dev's or someone can make this more easily accessible as a text file without the wrapping and such... thanks -- Abba Communications Spokane, WA www.abbacomm.net
R: Inappropriate use of E-Mail addresses
> -Messaggio originale- > Da: Gregory P. Ennis [mailto:[EMAIL PROTECTED] > > On Sun, 2007-05-13 at 15:16 +0200, Giampaolo Tomassoni wrote: > > > -Messaggio originale- > > > Da: Gregory P. Ennis [mailto:[EMAIL PROTECTED] > > > > > > Everyone, > > > > > > I have used spamassassin on our mail servers now for over 4 years > and > > > have nothing but high praise for what it has done for us. However, > > > recently we have been hit by bounced e-mail that is related to the > > > inappropriate use of some of our e-mail addresses. > > > > > > It appears that some spam artists with ip addresses that apparently > > > originate in Germany use a bogus names identified with one of our > e- > > > mail > > > addresses to send solicitations for pharmaceuticals to various e- > mail > > > addresses. Some of these end up being undeliverable and then > bounce > > > back to us. > > > > > > Can anyone direct me to software or an agency that help me fight > the > > > inappropriate use of our e-mail addresses in their spam. > > > > What about SPF or DKIM? They are fully supported by SA, too. > > > > Also, report the bounces as spam: MTA's should avoid to produce > bounce > > messages when a destinating mailbox doesn't exist. They should give a > 550 > > error code, instead. > > > > Giampaolo > > > > > Thanks for your suggestions. I upgraded to 3.20 yesterday via cpan, > but > when I tried to run DKIM I received some configuration errors. I have > not debugged it yet but believe it was related to configuration > differences between a cpan installation and what was normally on Fedora > Core 4. I am planning on upgrading the os to CentOS 5.0 which already > has spamassassin 3.2 packaged. > > I am not familiar with SPF? To you, it is not that important to configure SPF in SA, but instead to configure your DNZ zone such that OTHER MTAs may detect the spam source as not really being from you. By implementing SPF, some MTAs and most SA installations will refuse/mark as spam the spam faking you mail addresses, thereby spammers will be pushed to not use any e-mail from your domain in their faked From:. Have a look at http://www.openspf.org/Specifications in order to learn how to setup you DNS zone for SPF. Giampaolo > > I'm looking at my own MTA (sendmail) to see if I can capture or route > these bounces differently, the bounces are not coming from my MTA they > are coming from the sites the spamers are sending e-mail to with our > e-mail address. > > Thanks for your help > > Greg
RE: Inappropriate use of E-Mail addresses
On Sun, 2007-05-13 at 09:53 -0400, Michael Scheidell wrote: > > -Original Message- > > From: Gregory P. Ennis [mailto:[EMAIL PROTECTED] > > Sent: Sunday, May 13, 2007 9:50 AM > > To: jdow > > Cc: users@spamassassin.apache.org > > Subject: Re: Inappropriate use of E-Mail addresses > > > > > > OK... now we are getting somewhere exactly what I want > > to do ... maybe we should create a neighborhood spam watch society :) > > > > On Sun, 2007-05-13 at 06:12 -0700, jdow wrote: > > > I can't. But I can offer sympathy. Welcome to the world of the "Joe > > > Job." It is the chief reason that I have pledged to NEVER > > EVER find in > > > favor of a spammer if I find myself on a jury with him as the > > > plaintiff or defendant. > > Vbounce in SA 3.20 might help. But it takes some setting up. Michael, I have looked at Vbounce and have set up the entry in local.cf as whitelist_bounce_relays *.domain.com Is there more to set up than this? Thanks for you help!!! Greg
Re: Inappropriate use of E-Mail addresses
At 05:52 13-05-2007, Gregory P. Ennis wrote: I have used spamassassin on our mail servers now for over 4 years and have nothing but high praise for what it has done for us. However, recently we have been hit by bounced e-mail that is related to the inappropriate use of some of our e-mail addresses. http://wiki.apache.org/spamassassin/VBounceRuleset Can anyone direct me to software or an agency that help me fight the inappropriate use of our e-mail addresses in their spam. There is no such agency to do that. You can publish SPF records. Regards, -sm
RE: Inappropriate use of E-Mail addresses
> -Original Message- > From: Gregory P. Ennis [mailto:[EMAIL PROTECTED] > Sent: Sunday, May 13, 2007 9:50 AM > To: jdow > Cc: users@spamassassin.apache.org > Subject: Re: Inappropriate use of E-Mail addresses > > > OK... now we are getting somewhere exactly what I want > to do ... maybe we should create a neighborhood spam watch society :) > > On Sun, 2007-05-13 at 06:12 -0700, jdow wrote: > > I can't. But I can offer sympathy. Welcome to the world of the "Joe > > Job." It is the chief reason that I have pledged to NEVER > EVER find in > > favor of a spammer if I find myself on a jury with him as the > > plaintiff or defendant. Vbounce in SA 3.20 might help. But it takes some setting up. -- Michael Scheidell, CTO Join SECNAP at SecureWorld Philadelphia May 16-17 http://www.secnap.com/events for free and discounted seminar tickets _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Re: Inappropriate use of E-Mail addresses
OK... now we are getting somewhere exactly what I want to do ...
maybe we should create a neighborhood spam watch society :)
On Sun, 2007-05-13 at 06:12 -0700, jdow wrote:
> I can't. But I can offer sympathy. Welcome to the world of the "Joe Job."
> It is the chief reason that I have pledged to NEVER EVER find in favor of
> a spammer if I find myself on a jury with him as the plaintiff or defendant.
>
> Besides, I'd probably jump over the jury box railing and gouge his eyes out
> before the trial was over.
>
> {^_^}Joanne
> - Original Message -
> From: "Gregory P. Ennis" <[EMAIL PROTECTED]>
>
>
> > Everyone,
> >
> > I have used spamassassin on our mail servers now for over 4 years and
> > have nothing but high praise for what it has done for us. However,
> > recently we have been hit by bounced e-mail that is related to the
> > inappropriate use of some of our e-mail addresses.
> >
> > It appears that some spam artists with ip addresses that apparently
> > originate in Germany use a bogus names identified with one of our e-mail
> > addresses to send solicitations for pharmaceuticals to various e-mail
> > addresses. Some of these end up being undeliverable and then bounce
> > back to us.
> >
> > Can anyone direct me to software or an agency that help me fight the
> > inappropriate use of our e-mail addresses in their spam.
> >
> > Greg Ennis
R: Inappropriate use of E-Mail addresses
> -Messaggio originale- > Da: Gregory P. Ennis [mailto:[EMAIL PROTECTED] > > Everyone, > > I have used spamassassin on our mail servers now for over 4 years and > have nothing but high praise for what it has done for us. However, > recently we have been hit by bounced e-mail that is related to the > inappropriate use of some of our e-mail addresses. > > It appears that some spam artists with ip addresses that apparently > originate in Germany use a bogus names identified with one of our e- > mail > addresses to send solicitations for pharmaceuticals to various e-mail > addresses. Some of these end up being undeliverable and then bounce > back to us. > > Can anyone direct me to software or an agency that help me fight the > inappropriate use of our e-mail addresses in their spam. What about SPF or DKIM? They are fully supported by SA, too. Also, report the bounces as spam: MTA's should avoid to produce bounce messages when a destinating mailbox doesn't exist. They should give a 550 error code, instead. Giampaolo > > Greg Ennis
Re: Inappropriate use of E-Mail addresses
I can't. But I can offer sympathy. Welcome to the world of the "Joe Job."
It is the chief reason that I have pledged to NEVER EVER find in favor of
a spammer if I find myself on a jury with him as the plaintiff or defendant.
Besides, I'd probably jump over the jury box railing and gouge his eyes out
before the trial was over.
{^_^}Joanne
- Original Message -
From: "Gregory P. Ennis" <[EMAIL PROTECTED]>
Everyone,
I have used spamassassin on our mail servers now for over 4 years and
have nothing but high praise for what it has done for us. However,
recently we have been hit by bounced e-mail that is related to the
inappropriate use of some of our e-mail addresses.
It appears that some spam artists with ip addresses that apparently
originate in Germany use a bogus names identified with one of our e-mail
addresses to send solicitations for pharmaceuticals to various e-mail
addresses. Some of these end up being undeliverable and then bounce
back to us.
Can anyone direct me to software or an agency that help me fight the
inappropriate use of our e-mail addresses in their spam.
Greg Ennis
Inappropriate use of E-Mail addresses
Everyone, I have used spamassassin on our mail servers now for over 4 years and have nothing but high praise for what it has done for us. However, recently we have been hit by bounced e-mail that is related to the inappropriate use of some of our e-mail addresses. It appears that some spam artists with ip addresses that apparently originate in Germany use a bogus names identified with one of our e-mail addresses to send solicitations for pharmaceuticals to various e-mail addresses. Some of these end up being undeliverable and then bounce back to us. Can anyone direct me to software or an agency that help me fight the inappropriate use of our e-mail addresses in their spam. Greg Ennis
