Re: SpamAssassin 3.2 compatiblity
Nix [EMAIL PROTECTED] writes: (And, let's be blunt, the pure this-word-is-spammy recognition part of FuzzyOCR is much less smart than the Bayesian system already present in SA: FuzzyOCR should really use the Bayesian system to determine the spamminess of words, I suppose...) Or even just act as a MIME part 'decoding' system (like Base64) and feed all words it finds in images into Bayes, along with all other text in the mail, rather than generating a score itself.
Re: emails with embedded uuencoded files scoring high
Per Jessen wrote: I've recently seen a few emails with uuencoded documents/files embedded directly in the body-text, i.e. not as an attachment. These hit e.g. rules such as: 1.8 DISGUISE_PORN_MUNDANE BODY 1.7 OBSCURED_EMAIL BODY 1.1 HTTP_EXCESSIVE_ESCAPES 0.8 USERPASS 0.6 UPPERCASE_50_75 giving a total of 6 points. Has anyone already dealt with this? What I meant to ask is - has anyone written rules for detecting uuencoded files in the body text (not as attachment) ? /Per Jessen, Zürich
Re: Custom rule against imageshack-spam
Starckjohann, Ove wrote: Then i changed my rule to fullOVE_BODY_IMAGESHACK /\bhttp:\/\/.*\.imageshack\.us/i score OVE_BODY_IMAGESHACK 1 and it worked again nice. I'd use a uri rule instead of a full rule. Did i get it right that a body rule ONLY looks into the textpart of a html-mail-body and NOT into the html-part ? body rules are run against what would be the rendered text. Daryl
Re: How To Kill Spam Dead?
From: John D. Hardin [EMAIL PROTECTED]
On Wed, 30 May 2007, John D. Hardin wrote:
Take a look at the spamassassin procmail ruleset at
http://www.impsec/org/~jhardin/antispam/ for a starting point.
Bah. That URL should, of course, be:
http://www.impsec.org/~jhardin/antispam/
Your request for http://www.impsec.org/~jhardin/antispam/ could not be
fulfilled, because the connection to www.impsec.org (207.210.83.140) could
not be established.
host www.impsec.org
www.impsec.org has address 207.210.83.140
Your request for http://207.210.83.140/~jhardin/antispam could not be
fulfilled, because the connection to 207.210.83.140 (207.210.83.140) could
not be established.
For the filtering Eric needs to filter in the return value from spamc
or on a recognizeable feature of his spam markup. Some markups have a
string of asterisks one per unit score. So searching for at least five
asterisks in a row on the same row as the appropriate header name does
it. Not knowing his setup I can't get more specific. I simply toss all
the spam in a spam folder, sort by score, and examine the lower scores
before tossing them all into a training folder because I manually train.
{o.o}
Spam from own domain
Hi! Can I check somehow with spamassassin if a (from) mail address exists on my mailserver. I got many mails whitelisted that have a from address from my domain (although they are not from my domain, and the users don't exist on my mailserver) lg
Re: How To Kill Spam Dead?
From: John D. Hardin [EMAIL PROTECTED]
On Wed, 30 May 2007, John D. Hardin wrote:
Take a look at the spamassassin procmail ruleset at
http://www.impsec/org/~jhardin/antispam/ for a starting point.
Bah. That URL should, of course, be:
http://www.impsec.org/~jhardin/antispam/
THAT said, this following link might be a barely scratching the surface
good start. Robert Alan Soloway has been arrested for a host of spam
related offenses. Now, if they apply a gruesome enough punishment maybe
others will become a little less likely to spam.
Of course, we also need to go after his, and other spammer's, food chains
and nail some of those hides to the wall as well.
http://www.foxnews.com/story/0,2933,276573,00.html
{^_-}
OBSCURED_EMAIL ?
I've got a couple of FPs that all got 1.6points from OBSCURED_EMAIL -
body OBSCURED_EMAIL /\w+\^\S+\(\w{2,4}\b/
describe OBSCURED_EMAIL Message seems to contain rot13ed address
I've been looking at what a rot13'ed email-address looks like, and it
doesn't come close to matching the pattern above.
This would patch the pattern above: ghtyetrt^rt456yu78ui(tyy , but
after rot13, it still doesn't look like an email address:
tuglrgeg^eg456lh78hv(gll
My email-address | rot13 = [EMAIL PROTECTED]
/Per Jessen, Zürich
Re: speaking of the new FH_HOST_EQ_D_D_D_D tests...
Jason Haar wrote: Since upgrading from SA-3.1* to 3.2.0, we have discovered that it appears most small New Zealand businesses run mail servers on DSL links with PTR records of the format NN-NN-NN-NN.isp.carrier.nz. Hence they end up with 2.2 points (FH_HOST_EQ_D_D_D_D,FH_HOST_EQ_D_D_D_DB,RDNS_DYNAMIC) added without any real effort. That plus their sputty HTML mails pushes them into the 5-7 range. I know SA isn't really doing anything wrong, but are people in other countries seeing this too? If so, it may imply the default scores are too high? I'm not using those particular rules, but the mail-server setup you describe is fairly typical - and still wrong. They need to ask the provider for a proper reverse DNS entry, or use the providers SMTP-server as a relay. /Per Jessen, Zürich
Re: OBSCURED_EMAIL ?
Per Jessen wrote:
I've got a couple of FPs that all got 1.6points from OBSCURED_EMAIL -
body OBSCURED_EMAIL /\w+\^\S+\(\w{2,4}\b/
describe OBSCURED_EMAIL Message seems to contain rot13ed address
I was having a closer look, and I couldn't even find a '^' character
anywhere - till I realised that the email contained 4 JPEGs as
attachment, but with
Content-Type: ; name=PICT0089.JPG
I.e. no MIME-type provided. I'm guessing that spamassassin decided to
scan those attachments as if they were body text, and then found
something or other weird in the JPEG.
Has anyone else come across this?
/Per Jessen, Zürich
Re: speaking of the new FH_HOST_EQ_D_D_D_D tests...
Jason Haar writes: We are getting heaps of false positives off these rules - ironically mainly from our IT services dealers/sellers/etc. Since upgrading from SA-3.1* to 3.2.0, we have discovered that it appears most small New Zealand businesses run mail servers on DSL links with PTR records of the format NN-NN-NN-NN.isp.carrier.nz. Hence they end up with 2.2 points (FH_HOST_EQ_D_D_D_D,FH_HOST_EQ_D_D_D_DB,RDNS_DYNAMIC) added without any real effort. That plus their sputty HTML mails pushes them into the 5-7 range. I know SA isn't really doing anything wrong, but are people in other countries seeing this too? If so, it may imply the default scores are too high? Well, FH_HOST_EQ_D_D_D_D is the main issue I'd say, since it has the higher FPs and a much more significant score: score FH_HOST_EQ_D_D_D_D 2.599 1.992 1.692 1.212 # n=2 score FH_HOST_EQ_D_D_D_DB 0.102 0.095 0.055 0.223 # n=2 STATISTICS-set3.txt: 7.010 10.9120 0.13160.988 0.640.22 FH_HOST_EQ_D_D_D_DB STATISTICS-set3.txt: 20.447 31.7873 0.45650.986 0.581.21 FH_HOST_EQ_D_D_D_D Since they overlap heavily with RDNS_DYNAMIC, perhaps we should consider reducing/zeroing one or both scores for 3.2.1. could you open a bug? --j. Obviously I'm going to have to lower those scores to compensate - I bet more spam will come through too :-( -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: How To Kill Spam Dead?
guys, even though we use SA for tagging... the real short to long term
solution is TMDA
just my 2c worth
On 5/31/07, jdow [EMAIL PROTECTED] wrote:
From: John D. Hardin [EMAIL PROTECTED]
On Wed, 30 May 2007, John D. Hardin wrote:
Take a look at the spamassassin procmail ruleset at
http://www.impsec/org/~jhardin/antispam/ for a starting point.
Bah. That URL should, of course, be:
http://www.impsec.org/~jhardin/antispam/
THAT said, this following link might be a barely scratching the surface
good start. Robert Alan Soloway has been arrested for a host of spam
related offenses. Now, if they apply a gruesome enough punishment maybe
others will become a little less likely to spam.
Of course, we also need to go after his, and other spammer's, food chains
and nail some of those hides to the wall as well.
http://www.foxnews.com/story/0,2933,276573,00.html
{^_-}
Re: How To Kill Spam Dead?
Dennis Kavadas wrote: guys, even though we use SA for tagging... the real short to long term solution is TMDA I remember one of my friends saying just that - about 5 years ago. It might be fine for personal email, but it's not very useful in a business context. Too much end-user education required. /Per Jessen, Zürich
Re: OBSCURED_EMAIL ?
Matthias Haegele wrote: Not seen it here ... Perhaps you could paste the mail somewhere and send the link to the list? Not a bad idea, except it's a customer email, so that's pretty much out of the question ... The problem seems to be that it contains 4 attached JPEGs which have been attached without the proper MIME-type: Content-Type: ; name=PICT0089.JPG It looks like spamassassin decides to scan the binary content of the jpegs as body text which is perhaps why it comes up with these obscure hits. /Per Jessen, Zürich
Re: OBSCURED_EMAIL ?
Per Jessen schrieb: Matthias Haegele wrote: Not seen it here ... Perhaps you could paste the mail somewhere and send the link to the list? Not a bad idea, except it's a customer email, so that's pretty much out of the question ... So why not overwrite the confidential part and then paste it? The problem seems to be that it contains 4 attached JPEGs which have been attached without the proper MIME-type: Content-Type: ; name=PICT0089.JPG It looks like spamassassin decides to scan the binary content of the jpegs as body text which is perhaps why it comes up with these obscure hits. /Per Jessen, Zürich -- Greetings MH Dont send mail to: [EMAIL PROTECTED] --
Re: OBSCURED_EMAIL ?
Per Jessen writes: Matthias Haegele wrote: Not seen it here ... Perhaps you could paste the mail somewhere and send the link to the list? Not a bad idea, except it's a customer email, so that's pretty much out of the question ... The problem seems to be that it contains 4 attached JPEGs which have been attached without the proper MIME-type: Content-Type: ; name=PICT0089.JPG It looks like spamassassin decides to scan the binary content of the jpegs as body text which is perhaps why it comes up with these obscure hits. is that (a) valid MIME and/or (b) supported by any common MUA? if you could generate a new mail that displays the same issue, and can be shared, that would be helpful. --j.
Re: How To Kill Spam Dead?
Per Jessen wrote: Dennis Kavadas wrote: guys, even though we use SA for tagging... the real short to long term solution is TMDA I remember one of my friends saying just that - about 5 years ago. It might be fine for personal email, but it's not very useful in a business context. Too much end-user education required. That, and TDMA is a blight upon the internet. It is at best misguided, and at worst irresponsible, to use challenge-response email systems.
Re: OBSCURED_EMAIL ?
Matthias Haegele wrote: Per Jessen schrieb: Matthias Haegele wrote: Not seen it here ... Perhaps you could paste the mail somewhere and send the link to the list? Not a bad idea, except it's a customer email, so that's pretty much out of the question ... So why not overwrite the confidential part and then paste it? Yep, that should work - I'll have to obscure the attachments too though: http://jessen.ch/files/problem-with-missing-content-type2 /Per Jessen, Zürich
Re: OBSCURED_EMAIL ?
Justin Mason wrote: The problem seems to be that it contains 4 attached JPEGs which have been attached without the proper MIME-type: Content-Type: ; name=PICT0089.JPG It looks like spamassassin decides to scan the binary content of the jpegs as body text which is perhaps why it comes up with these obscure hits. is that (a) valid MIME and/or (b) supported by any common MUA? a) most probably not. b) Thunderbird recognises the attachments, but tries to display them as text. Which is probably a reasonable behaviour, although it's hardly supported. if you could generate a new mail that displays the same issue, and can be shared, that would be helpful. See previous post. /Per Jessen, Zürich
Re: How To Kill Spam Dead?
John Rudd wrote: Per Jessen wrote: Dennis Kavadas wrote: guys, even though we use SA for tagging... the real short to long term solution is TMDA I remember one of my friends saying just that - about 5 years ago. It might be fine for personal email, but it's not very useful in a business context. Too much end-user education required. That, and TDMA is a blight upon the internet. It is at best misguided, and at worst irresponsible, to use challenge-response email systems. Agreed. Challenge response systems attempt to solve the problem of spam by forwarding it to someone else and hoping they'll use good judgment for you and only approve mail they actually sent. You're turning your spam problems into theirs. The problem boils down to forged spam emails. If you're using TMDA and a forged spam comes in, your TMDA system in-turn spams that victim of forgery. After spaming them, you're hoping that they'll be nice and delete the message for you, because you're too lazy to do it yourself. My question is, why should I not activate the spam, after your TMDA system has chosen to intrude on MY mailbox in an attempt to solve YOUR spam problems? Do I have any prior agreement with you to perform this task properly? Are you paying me for my time? Oh, that's right, you're not paying me, nor have you previously asked me if it's ok to do this to my mailbox, so I'm free to do as I please.. Well then, who am I to stop you from getting advertisements you might actually want? *click* Seriously, I take this approach to every TMDA challenge I get. I encourage everyone to do the same. It is not your responsibility to filter people's spam for them, so take the time and return the problem back to its original owner.
Re: OBSCURED_EMAIL ?
On Thu, May 31, 2007 at 09:46:56AM +0200, Per Jessen wrote: I've got a couple of FPs that all got 1.6points from OBSCURED_EMAIL - Just out of interest, I lowered the score on this one because it hits TeX formulas, such as ab^c(def) The last thing I want to do is annoy the few people who use real typesetting software. ;-) Matthew -- Matthew Newton [EMAIL PROTECTED] Network Support and UNIX Systems Administrator, Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, [EMAIL PROTECTED]
Re: OBSCURED_EMAIL ?
Matthias Haegele wrote: Yep, that should work - I'll have to obscure the attachments too though: http://jessen.ch/files/problem-with-missing-content-type2 scnr: War ja klar dass sowas (Müll) nur nur aus irgendeiner Besprechung kommen kann ;-). Matthias, FYI, I can't reply to you directly - your mail-server is rejecting all emails from computer.org. (due to rfc-ignorant). /Per Jessen, Zürich
error msg from sa-update every morning
Greetings all; The error message is: /etc/cron.daily/sa-update: [28045] warn: netset: cannot include 127/8 as it has already been included And I've been getting it since about the time of the update to 3.20, handled by the smart package manager on an FC6 system. I can't find any references to '127' in any of my spamassassin related directories. What should I do? -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) If you tell the truth you don't have to remember anything. -- Mark Twain
RE: error msg from sa-update every morning
On Thursday, May 31, 2007 9:42 AM Gene Heskett wrote: Greetings all; The error message is: /etc/cron.daily/sa-update: [28045] warn: netset: cannot include 127/8 as it has already been included It sounds like a reference to the trusted_networks setting. Some changes were made to automatically include the localhost network, so you no longer need to specify it yourself. Jason A. Bertoch Network Administrator [EMAIL PROTECTED] ElectroNet Intermedia Consulting 3411 Capital Medical Blvd. Tallahassee, FL 32308 (V) 850.222.0229 (F) 850.222.8771
Re: How To Kill Spam Dead?
From: Per Jessen [EMAIL PROTECTED]
Dennis Kavadas wrote:
guys, even though we use SA for tagging... the real short to long term
solution is TMDA
I remember one of my friends saying just that - about 5 years ago. It
might be fine for personal email, but it's not very useful in a
business context. Too much end-user education required.
TMDA involves challenge/response. I ***NEVER*** reply to spam.
A challenge, from a challenge response system is spam. Hence I
***NEVER*** reply to challenges. I have rerouted messages to idiots
who use it to tell them that their email host is broken and is very
unlikely to allow mail from me through. I suggest they get a real mail
service.
{^_^}
Re: How To Kill Spam Dead?
From: John Rudd [EMAIL PROTECTED]
Per Jessen wrote:
Dennis Kavadas wrote:
guys, even though we use SA for tagging... the real short to long term
solution is TMDA
I remember one of my friends saying just that - about 5 years ago. It
might be fine for personal email, but it's not very useful in a
business context. Too much end-user education required.
That, and TDMA is a blight upon the internet. It is at best misguided,
and at worst irresponsible, to use challenge-response email systems.
Amend that, at worst monumentally stupid and probably should be
criminal to use challenge/response brown steaming stinky material
such as emanates from the South end of a North facing fertile male
bovine creature.
{^_^}I hope I'm clear that I don't like it.
Re: error msg from sa-update every morning
On May 31, 2007, at 6:42 AM, Gene Heskett wrote: The error message is: /etc/cron.daily/sa-update: I've just started receiving: *** update SpamAssassin rules [18361] info: rules: meta test HS_PHARMA_1 has dependency 'HS_SUBJ_ONLINE_PHARMACEUTICAL' with a zero score
Re: How To Kill Spam Dead?
From: Matt Kettler [EMAIL PROTECTED]
John Rudd wrote:
Per Jessen wrote:
Dennis Kavadas wrote:
guys, even though we use SA for tagging... the real short to long term
solution is TMDA
I remember one of my friends saying just that - about 5 years ago. It
might be fine for personal email, but it's not very useful in a
business context. Too much end-user education required.
That, and TDMA is a blight upon the internet. It is at best
misguided, and at worst irresponsible, to use challenge-response email
systems.
Agreed. Challenge response systems attempt to solve the problem of spam
by forwarding it to someone else and hoping they'll use good judgment
for you and only approve mail they actually sent. You're turning your
spam problems into theirs.
The problem boils down to forged spam emails. If you're using TMDA and a
forged spam comes in, your TMDA system in-turn spams that victim of
forgery. After spaming them, you're hoping that they'll be nice and
delete the message for you, because you're too lazy to do it yourself.
My question is, why should I not activate the spam, after your TMDA
system has chosen to intrude on MY mailbox in an attempt to solve YOUR
spam problems?
Do I have any prior agreement with you to perform this task properly?
Are you paying me for my time? Oh, that's right, you're not paying me,
nor have you previously asked me if it's ok to do this to my mailbox, so
I'm free to do as I please..
Well then, who am I to stop you from getting advertisements you might
actually want?
*click*
Seriously, I take this approach to every TMDA challenge I get. I
encourage everyone to do the same. It is not your responsibility to
filter people's spam for them, so take the time and return the problem
back to its original owner.
After the third challenge my .procmailrc recipe grows a little as it
intercepts their email early before SpamAssassin and thoughtfully
redirects it to /dev/null. There is a Brazillian ISP on that list at the
moment, for example.
{^_^}
Re: OBSCURED_EMAIL ?
On Thu, May 31, 2007 at 09:46:56AM +0200, Per Jessen wrote:
I've been looking at what a rot13'ed email-address looks like, and it
doesn't come close to matching the pattern above.
rot13 is a common/well-defined version of a single substitution cipher. This
rule tries to match those, not the rot13 a-m - n-z mapping specifically.
This would patch the pattern above: ghtyetrt^rt456yu78ui(tyy
Right, and that looks like [EMAIL PROTECTED] after going through
a substitution. Check out the list archives, this came up a while ago.
--
Randomly Selected Tagline:
sub eval_C ($proggie) { CGrammar.top($proggie).compile.link.run.dump.gdb }
-- Larry Wall in [EMAIL PROTECTED]
pgpwf3urESar8.pgp
Description: PGP signature
Re: error msg from sa-update every morning
Jason Bertoch wrote: On Thursday, May 31, 2007 9:42 AM Gene Heskett wrote: Greetings all; The error message is: /etc/cron.daily/sa-update: [28045] warn: netset: cannot include 127/8 as it has already been included It sounds like a reference to the trusted_networks setting. Some changes were made to automatically include the localhost network, so you no longer need to specify it yourself. Yes... as noted in the first item in the UPGRADE document and included in the release announcement. Daryl
Re: error msg from sa-update every morning
Jerry Durand wrote: On May 31, 2007, at 6:42 AM, Gene Heskett wrote: The error message is: /etc/cron.daily/sa-update: I've just started receiving: *** update SpamAssassin rules [18361] info: rules: meta test HS_PHARMA_1 has dependency 'HS_SUBJ_ONLINE_PHARMACEUTICAL' with a zero score That's just info for rule debugging, though. It won't prevent a sa-update from updating your rules. Daryl
Re: error msg from sa-update every morning
Daryl C. W. O'Shea writes: Jason Bertoch wrote: On Thursday, May 31, 2007 9:42 AM Gene Heskett wrote: Greetings all; The error message is: /etc/cron.daily/sa-update: [28045] warn: netset: cannot include 127/8 as it has already been included It sounds like a reference to the trusted_networks setting. Some changes were made to automatically include the localhost network, so you no longer need to specify it yourself. Yes... as noted in the first item in the UPGRADE document and included in the release announcement. once again folks-- when you upgrade, be sure to read the UPGRADE doc. --j.
Re: OBSCURED_EMAIL ?
Theo Van Dinter wrote:
On Thu, May 31, 2007 at 09:46:56AM +0200, Per Jessen wrote:
I've been looking at what a rot13'ed email-address looks like, and it
doesn't come close to matching the pattern above.
rot13 is a common/well-defined version of a single substitution
cipher. This rule tries to match those, not the rot13 a-m - n-z
mapping specifically.
Then why is the pattern very specific wrt '^' and '(' ?
This would patch the pattern above: ghtyetrt^rt456yu78ui(tyy
Right, and that looks like [EMAIL PROTECTED] after going through
a substitution.
Not really. A rot13 of an email-address should not substitute '@'
and '.'.
Check out the list archives, this came up a while ago.
OK, will do.
/Per Jessen, Zürich
Re: OBSCURED_EMAIL ?
On Thu, May 31, 2007 at 06:06:54PM +0200, Per Jessen wrote:
Then why is the pattern very specific wrt '^' and '(' ?
Tries to match common substitutions for @ and . ?
Not really. A rot13 of an email-address should not substitute '@'
and '.'.
Again, don't think of rot13 specifically. Single substition cipher.
--
Randomly Selected Tagline:
The only way you'll get me to talk is through slow painful torture, and I
don't think you've got the grapes. - Stewie on Family Guy
pgp4WsJkxWcu6.pgp
Description: PGP signature
Re: Spam from own domain
On Thu, 31 May 2007, Martin Hochreiter wrote: I got many mails whitelisted that have a from address from my domain (although they are not from my domain, and the users don't exist on my mailserver) ...then you probably are not using whitelisting properly. Do you perhaps have something like whitelist_from [EMAIL PROTECTED] in your config? That is *not* a good idea. See the list archives for lots of discussion of this, and how to properly use whitelisting. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- USMC Rules of Gunfighting #9: Accuracy is relative: most combat shooting standards will be more dependent on pucker factor than the inherent accuracy of the gun. --- 523 days until the Presidential Election
Re: How To Kill Spam Dead?
On Thu, 31 May 2007, jdow wrote: this following link might be a barely scratching the surface good start. Robert Alan Soloway has been arrested for a host of spam related offenses. Now, if they apply a gruesome enough punishment maybe others will become a little less likely to spam. +1 Gibs! I want gibs! Of course, we also need to go after his, and other spammer's, food chains and nail some of those hides to the wall as well. http://www.foxnews.com/story/0,2933,276573,00.html -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- USMC Rules of Gunfighting #9: Accuracy is relative: most combat shooting standards will be more dependent on pucker factor than the inherent accuracy of the gun. --- 523 days until the Presidential Election
SA 3.2 , AWL and auto_whitelist_factor
in the /etc/mail/spamassassin/local.cf there is an entry auto_whitelist_factor 0.7 Yet in the scoring , the listing is: * header * -0.1 AWL AWL: From:address is in the auto white-list where did the -0.1 come from? how can i change it to -1.0 ? thanks.
R: How To Kill Spam Dead?
-Messaggio originale-
Da: jdow [mailto:[EMAIL PROTECTED]
From: John D. Hardin [EMAIL PROTECTED]
On Wed, 30 May 2007, John D. Hardin wrote:
Take a look at the spamassassin procmail ruleset at
http://www.impsec/org/~jhardin/antispam/ for a starting point.
Bah. That URL should, of course, be:
http://www.impsec.org/~jhardin/antispam/
THAT said, this following link might be a barely scratching the surface
good start. Robert Alan Soloway has been arrested for a host of spam
related offenses. Now, if they apply a gruesome enough punishment maybe
others will become a little less likely to spam.
Of course, we also need to go after his, and other spammer's, food
chains
and nail some of those hides to the wall as well.
http://www.foxnews.com/story/0,2933,276573,00.html
What we all are going to do, then? We, spam ECM guys, are going to lose our
seats this way.
Hopefully, some emerging country will take the business for some years more.
:)
Giampaolo
{^_-}
Re: Spam from own domain
Martin Hochreiter wrote: I got many mails whitelisted that have a from address from my domain (although they are not from my domain, and the users don't exist on my mailserver) 1: If the users don't exist the mails should be rejected at the server level. They should never reach SpamAssassin at all. 2: Why have you whitelisted the addresses? Regards /Jonas -- Jonas Eckerman, FSDB Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
Re: SA 3.2 , AWL and auto_whitelist_factor
Perhaps I am misinterpreting what you are asking, but AWL is not a whitelist that you can assign a set score to it is a weighting function. By assigning a factor of 0.7 to AWL you asked it to bias its setting to basically 70% of the difference between the old score for that message and the new score for mail of this type. At its default setting of 0.5 if you receive a mail message that is scored at 2 and another comes in at 4, AWL will assign a score of -1 to the message to bring it to a total of 3. This will vary with each message and I see no way or value in have this function defined at a set number. I wish they would change the name of this thing to something more descriptive. .rp wrote: in the /etc/mail/spamassassin/local.cf there is an entry auto_whitelist_factor 0.7 Yet in the scoring , the listing is: * header * -0.1 AWL AWL: From: address is in the auto white-list where did the -0.1 come from? how can i change it to -1.0 ? thanks. begin:vcard fn:Dr. Craig Carriere n:Carriere;Craig org:Cobatco Inc.;Technology Development adr:;;1215 NE Adams Street;Peoria;IL;61550;USA email;internet:[EMAIL PROTECTED] tel;work:309.676.2663 tel;fax:309.676.2667 url:http://www.cobatco.com version:2.1 end:vcard
Re: OBSCURED_EMAIL ?
Theo Van Dinter wrote: Not really. A rot13 of an email-address should not substitute '@' and '.'. Again, don't think of rot13 specifically. Single substition cipher. Possibly, but in that case the rule doesn't even remotely work according to its description. It will never match a correct rot13 substitution of an email address, coz' you'd would NEVER get '^' and '.'. Anyway, maybe it makes sense to some to look for incorrectly rot13'd email-addresses, but why not catch the correctly rot13'd also? /Per Jessen, Zürich
Re: OBSCURED_EMAIL ?
On Thu, May 31, 2007 at 07:15:02PM +0200, Per Jessen wrote: Anyway, maybe it makes sense to some to look for incorrectly rot13'd email-addresses, but why not catch the correctly rot13'd also? Is anyone just using rot13 for address identification? And if so, are there enough people doing it to make the rule worthwhile? And if so, is there a computationally easy way to distinguish [EMAIL PROTECTED] from [EMAIL PROTECTED] ? They both look like valid email addresses from a simple RE standpoint. The only way I can think of is to insert the known valid TLDs into the RE, which becomes painful. Also, some TLDs (country codes) rot13 translate into other valid TLDs: it/vg, at/ng, se/fr, etc. In the end, I would guess it doesn't happen enough to make it worthwhile to look for, whereas the other single substitution methods were being used a lot at one point. -- Randomly Selected Tagline: I just love getting wild puzzled stares when I mention that I'm using a computer that isn't physically in front of me... - Michelle Vadeboncoeur pgphO4pr0plOy.pgp Description: PGP signature
Re: emails with embedded uuencoded files scoring high
Per Jessen wrote: What I meant to ask is - has anyone written rules for detecting uuencoded files in the body text (not as attachment) ? I have been going through my logs, and this problem is popping up a little more often than I'm comfortable with. OBSCURED_EMAIL is triggered quite frequently off such an embedded uuencoded document (seems to be predominantly Microsoft Word :-) I was thinking of using a rawbody rule, till I realised that it is applied line-by-line. Is there a way of writing a rule with a multi-line regex/pattern? /Per Jessen, Zürich
Re: emails with embedded uuencoded files scoring high
On Thu, May 31, 2007 at 08:46:04AM +0200, Per Jessen wrote: What I meant to ask is - has anyone written rules for detecting uuencoded files in the body text (not as attachment) ? I'm not sure about rules specifically, but as a fyi, you may want to check out https://issues.apache.org/SpamAssassin/show_bug.cgi?id=3278 which discussed the topic of handling uuencoded files, etc. -- Randomly Selected Tagline: All taglines are busy..One will be with you shortly. pgpyM26vi77No.pgp Description: PGP signature
Re: emails with embedded uuencoded files scoring high
On Thu, May 31, 2007 at 08:20:40PM +0200, Per Jessen wrote: I was thinking of using a rawbody rule, till I realised that it is applied line-by-line. Is there a way of writing a rule with a multi-line regex/pattern? In 3.2 rawbody rules are applied to paragraphs. You should be able to detect, generically, uue via a body rule though. -- Randomly Selected Tagline: ... as you go forth today ... or fifth, depending on your order in line ... - From the movie Toys pgp1fNhRhZKxC.pgp Description: PGP signature
Re: OBSCURED_EMAIL ?
Per Jessen wrote:
Theo Van Dinter wrote:
On Thu, May 31, 2007 at 09:46:56AM +0200, Per Jessen wrote:
I've been looking at what a rot13'ed email-address looks like, and it
doesn't come close to matching the pattern above.
rot13 is a common/well-defined version of a single substitution
cipher. This rule tries to match those, not the rot13 a-m - n-z
mapping specifically.
Then why is the pattern very specific wrt '^' and '(' ?
Because it's very common (or at least was at one time) for spammers to
rot13 the target addresses and then do those specific substitutions.
--
Kelson Vibber
SpeedGate Communications www.speed.net
Re: OBSCURED_EMAIL ?
Theo Van Dinter wrote: On Thu, May 31, 2007 at 07:15:02PM +0200, Per Jessen wrote: Anyway, maybe it makes sense to some to look for incorrectly rot13'd email-addresses, but why not catch the correctly rot13'd also? Is anyone just using rot13 for address identification? And if so, are there enough people doing it to make the rule worthwhile? And if so, is there a computationally easy way to distinguish [EMAIL PROTECTED] from [EMAIL PROTECTED] ? They both look like valid email addresses from a simple RE standpoint. The only way I can think of is to insert the known valid TLDs into the RE, which becomes painful. Also, some TLDs (country codes) rot13 translate into other valid TLDs: it/vg, at/ng, se/fr, etc. In the end, I would guess it doesn't happen enough to make it worthwhile to look for, whereas the other single substitution methods were being used a lot at one point. To me it's a pretty much moot point - OBSCURED_EMAIL with its 1.6points is of little use. I would certainly suggest reducing the default score to a lot less. (are there really other single substitution methods in common use that translate '@' to '^' ?) /Per Jessen, Zürich
Re: emails with embedded uuencoded files scoring high
Theo Van Dinter wrote: On Thu, May 31, 2007 at 08:46:04AM +0200, Per Jessen wrote: What I meant to ask is - has anyone written rules for detecting uuencoded files in the body text (not as attachment) ? I'm not sure about rules specifically, but as a fyi, you may want to check out https://issues.apache.org/SpamAssassin/show_bug.cgi?id=3278 which discussed the topic of handling uuencoded files, etc. Thanks for the reference, that was interesting reading. I was surprised to see that OBSCURED_EMAIL got 3.1 points back then (2004) :-) I too thought uuencoding was long dead and gone, but I've only this week seen four FPs caused by miscellaneous rules triggering off the uuencoded text. /Per Jessen, Zürich
Using sa-learn on an anti-spam gateway
Hi, I'm setting up a new anti-spam gateway for a fairly busy site (about 20k messages a day) using Postfix/Amavis/SpamAssassin/ClamAV on a Debian etch system that delivers incoming (ham) mail to an Exchange 2003 server. Since the old gateway was using a similar setup, there are already SPAM and HAM public mail folders which our users contribute to. The SPAM folder usually gets a lot of (untagged) spam, about 500 every day, while the HAM gets very little, and most of it is internal (within Exchange) mail that never passes through the gateway. I'm wondering whether it's worthwhile to use that kind of data to feed sa-learn, since a) a lot more spam than spam gets reported and b) most of the ham reported is mail that just moves within different Exchange mailboxes and never passes through the gateway. If indeed it's mostly useless (or maybe even harmful for the Bayes filter) then I was wondering if it would be more logical to have only the technical team feed the SPAM and HAM folders with proper messages (ie good mail that comes from an external source in the case as HAM). In that case, I'm wondering if the fact that only specific users report SPAM and HAM could trigger the Bayes filter to think that a message would be more hammy or spammy depending on the recipient. In short, I'm looking for a way to feed sa-learn that's at least minimally effective in a situation where only a little useful HAM is being reported by our users at large. -- Jérôme Charaoui [EMAIL PROTECTED] Service informatique - Collège de Maisonneuve
Re: emails with embedded uuencoded files scoring high
Per Jessen wrote: Theo Van Dinter wrote: On Thu, May 31, 2007 at 08:46:04AM +0200, Per Jessen wrote: What I meant to ask is - has anyone written rules for detecting uuencoded files in the body text (not as attachment) ? I'm not sure about rules specifically, but as a fyi, you may want to check out https://issues.apache.org/SpamAssassin/show_bug.cgi?id=3278 which discussed the topic of handling uuencoded files, etc. Thanks for the reference, that was interesting reading. I was surprised to see that OBSCURED_EMAIL got 3.1 points back then (2004) :-) I too thought uuencoding was long dead and gone, but I've only this week seen four FPs caused by miscellaneous rules triggering off the uuencoded text. I've just been doing some tests - and I was quite surprised to see Thunderbird automatically recognise embedded uuencoded files as attachments. /Per Jessen, Zürich
Re: OBSCURED_EMAIL ?
--=_20070103150623_67248 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Server .138 The email attached has been identified by one of our team as legitimate but unfortunately was incorrectly tagged as SPAM. The email address has been whitelisted to ensure this will not happen again and we are currently looking into the reasons why this happened. No mail has been lost as the quarantined mail folder is continuously checked by members of Team Genesis, but please accept our apologies for any inconvenience caused. Your SPAM scanning system; Ullyses is continually being upgraded and refined so we anticipate a steadily decreasing number of incidents like this as the system learns your personal profile. If you feel that you are receiving an inappropriate amount of SPAM then can we ask you to contact us either by email to: [EMAIL PROTECTED] or call your Genesis representative who will be happy to assist. Please do not respond to this email address as it is automatically generated but submit any queries to: [EMAIL PROTECTED] Thank you and take care Mark --=_20070103150623_67248 Content-Type: message/rfc822; name=originalmessage.msg Content-Transfer-Encoding: 8bit Content-Disposition: attachment; filename=originalmessage.msg Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by genesismaildefence.com with SMTP; 31 May 2007 14:30:22 +0100 Received: (qmail 68317 invoked by uid 500); 31 May 2007 13:03:24 - Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm Precedence: bulk list-help: mailto:[EMAIL PROTECTED] list-unsubscribe: mailto:[EMAIL PROTECTED] List-Post: mailto:users@spamassassin.apache.org List-Id: users.spamassassin.apache.org Delivered-To: mailing list users@spamassassin.apache.org Received: (qmail 68308 invoked by uid 99); 31 May 2007 13:03:24 - Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 31 May 2007 06:03:24 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests= X-Spam-Check-By: apache.org Received-SPF: neutral (herse.apache.org: local policy) Received: from [217.8.220.67] (HELO mail.local.net) (217.8.220.67) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 31 May 2007 06:03:19 -0700 Received: from [192.168.2.113] (io.local.net [192.168.2.113]) by mail.local.net (Postfix) with ESMTP id 409C0D4251 for users@spamassassin.apache.org; Thu, 31 May 2007 15:02:59 +0200 (CEST) Message-ID: [EMAIL PROTECTED] Date: Thu, 31 May 2007 15:02:58 +0200 From: Per Jessen [EMAIL PROTECTED] User-Agent: Thunderbird 1.5.0.8 (X11/20060911) MIME-Version: 1.0 To: users@spamassassin.apache.org Subject: Re: OBSCURED_EMAIL ? References: [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org Matthias Haegele wrote: Yep, that should work - I'll have to obscure the attachments too though: http://jessen.ch/files/problem-with-missing-content-type2 scnr: War ja klar dass sowas (Müll) nur nur aus irgendeiner Besprechung kommen kann ;-). Matthias, FYI, I can't reply to you directly - your mail-server is rejecting all emails from computer.org. (due to rfc-ignorant). /Per Jessen, Zürich *** Qmail-Scanner Quarantine Envelope Details Begin *** X-Antivirus-GenesisGroup-Mail-From: [EMAIL PROTECTED] via dp-5019 X-Antivirus-GenesisGroup-Rcpt-To: [EMAIL PROTECTED] X-Antivirus-GenesisGroup: 1.25st ( problem Found. Processed in 78.603463 secs) process 4596 Quarantine-Description: SPAM exceeds quarantine threshold - hits=3.5/3.2 SA_REPORT hits = 3.5/3.2 -0.0 SPF_PASS SPF: sender matches SPF record 0.0 BOTNET_SOHORelay might be a SOHO mail server [botnet_soho,ip=140.211.11.2,maildomain=spamassassin.apache.org] 1.0 namecheck_bad BODY: Invalid username for sender 0.0 BAYES_00 BODY: Bayesian spam probability is 0 to 1% [score: 0.] 1.4 GENESIS_USERCHECK HEADER: 1.0 GENESIS_REMOTESMTP BODY: 25/TCP not listening on remote host 0.1 AWLAWL: From: address is in the auto white-list *** Qmail-Scanner Envelope Details End *** --=_20070103150623_67248--
Re: Using sa-learn on an anti-spam gateway
On Thu, 31 May 2007, Jérôme Charaoui wrote: I'm wondering whether it's worthwhile to use that kind of data to feed sa-learn, since a) a lot more spam than spam gets reported and b) most of the ham reported is mail that just moves within different Exchange mailboxes and never passes through the gateway. If indeed it's mostly useless (or maybe even harmful for the Bayes filter) then I was wondering if it would be more logical to have only the technical team feed the SPAM and HAM folders with proper messages (ie good mail that comes from an external source in the case as HAM). In that case, I'm wondering if the fact that only specific users report SPAM and HAM could trigger the Bayes filter to think that a message would be more hammy or spammy depending on the recipient. Use per-user filtering. Seriously. As you're aware, your users are better at poisoning your Bayesian filter than any spammer could ever be. There are three approaches: 1. Hold their hands, carefully combing over the reported false positives/negatives and writing polite emails saying Tut tut! That's not actually spam!; 2. Only let your tech team tweak your filtering, which excludes a lot of people (and a lot of input); or 3. Let people train their filter to their hearts' content, but only their filter. If they want to report mail as spam, let them! If it's not spam, so what? They're only harming themselves. We have users who report all sorts of absurd stuff as spam, but I don't care. If they think it's spam, then we'll do whatever's reasonable to filter it. (In our case, we blacklist the sender for that recipient and run the message through sa-learn.) At that volume, there's really no reason to be concerned about the difference in the amount of spam and ham getting reported. Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University LOPSA Sysadmin Days: Professional Training for Professional SysAdmins August 6-7, Cherry Hill, NJ http://lopsa.org/SysadminDays
Re: error msg from sa-update every morning
On Thursday 31 May 2007, Jason Bertoch wrote: On Thursday, May 31, 2007 9:42 AM Gene Heskett wrote: Greetings all; The error message is: /etc/cron.daily/sa-update: [28045] warn: netset: cannot include 127/8 as it has already been included It sounds like a reference to the trusted_networks setting. Some changes were made to automatically include the localhost network, so you no longer need to specify it yourself. Here is the only reference to 'localhost' that grep can find, in this case in /etc/mail/spamassassin/*: [EMAIL PROTECTED] spamassassin]# grep localhost * 70_sare_header2.cf:headerSARE_RECV_LOCALHOST Received =~ /localhosts\.txt/i 70_sare_header.cf:headerSARE_RECV_LOCALHOST Received =~ /localhosts\.txt/i So I should nuke those 2 lines? Or just one, in which case which one? Thanks, Jason. Jason A. Bertoch Network Administrator [EMAIL PROTECTED] ElectroNet Intermedia Consulting 3411 Capital Medical Blvd. Tallahassee, FL 32308 (V) 850.222.0229 (F) 850.222.8771 -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) If you want to travel around the world and be invited to speak at a lot of different places, just write a Unix operating system. -- Linus Torvalds
Re: error msg from sa-update every morning
On Thursday 31 May 2007, Daryl C. W. O'Shea wrote: Jason Bertoch wrote: On Thursday, May 31, 2007 9:42 AM Gene Heskett wrote: Greetings all; The error message is: /etc/cron.daily/sa-update: [28045] warn: netset: cannot include 127/8 as it has already been included It sounds like a reference to the trusted_networks setting. Some changes were made to automatically include the localhost network, so you no longer need to specify it yourself. Yes... as noted in the first item in the UPGRADE document and included in the release announcement. Erm, yum nor smart apparently never took that bus. And the release announce has probably been expired off my local corpus of email by now. url please? Daryl -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) If you want to travel around the world and be invited to speak at a lot of different places, just write a Unix operating system. -- Linus Torvalds
Re: How To Kill Spam Dead?
most, if not all spam have spoofed addresses headers that do not resolve to a valid account on any host, that said, how is it a problem ? On 5/31/07, Matt Kettler [EMAIL PROTECTED] wrote: John Rudd wrote: Per Jessen wrote: Dennis Kavadas wrote: guys, even though we use SA for tagging... the real short to long term solution is TMDA I remember one of my friends saying just that - about 5 years ago. It might be fine for personal email, but it's not very useful in a business context. Too much end-user education required. That, and TDMA is a blight upon the internet. It is at best misguided, and at worst irresponsible, to use challenge-response email systems. Agreed. Challenge response systems attempt to solve the problem of spam by forwarding it to someone else and hoping they'll use good judgment for you and only approve mail they actually sent. You're turning your spam problems into theirs. The problem boils down to forged spam emails. If you're using TMDA and a forged spam comes in, your TMDA system in-turn spams that victim of forgery. After spaming them, you're hoping that they'll be nice and delete the message for you, because you're too lazy to do it yourself. My question is, why should I not activate the spam, after your TMDA system has chosen to intrude on MY mailbox in an attempt to solve YOUR spam problems? Do I have any prior agreement with you to perform this task properly? Are you paying me for my time? Oh, that's right, you're not paying me, nor have you previously asked me if it's ok to do this to my mailbox, so I'm free to do as I please.. Well then, who am I to stop you from getting advertisements you might actually want? *click* Seriously, I take this approach to every TMDA challenge I get. I encourage everyone to do the same. It is not your responsibility to filter people's spam for them, so take the time and return the problem back to its original owner.
Re: How To Kill Spam Dead?
if i had never meet you before and if i asked you to knock on my door before
barging in, would you believe that was to much to ask of you ?
On 6/1/07, jdow [EMAIL PROTECTED] wrote:
From: Per Jessen [EMAIL PROTECTED]
Dennis Kavadas wrote:
guys, even though we use SA for tagging... the real short to long term
solution is TMDA
I remember one of my friends saying just that - about 5 years ago. It
might be fine for personal email, but it's not very useful in a
business context. Too much end-user education required.
TMDA involves challenge/response. I ***NEVER*** reply to spam.
A challenge, from a challenge response system is spam. Hence I
***NEVER*** reply to challenges. I have rerouted messages to idiots
who use it to tell them that their email host is broken and is very
unlikely to allow mail from me through. I suggest they get a real mail
service.
{^_^}
Re: How To Kill Spam Dead?
why ? On 5/31/07, John Rudd [EMAIL PROTECTED] wrote: Per Jessen wrote: Dennis Kavadas wrote: guys, even though we use SA for tagging... the real short to long term solution is TMDA I remember one of my friends saying just that - about 5 years ago. It might be fine for personal email, but it's not very useful in a business context. Too much end-user education required. That, and TDMA is a blight upon the internet. It is at best misguided, and at worst irresponsible, to use challenge-response email systems.
Re: How To Kill Spam Dead?
why isn't it useful in a business context ? there sender gets a challange once ! ...how is that a problem ? On 5/31/07, Per Jessen [EMAIL PROTECTED] wrote: Dennis Kavadas wrote: guys, even though we use SA for tagging... the real short to long term solution is TMDA I remember one of my friends saying just that - about 5 years ago. It might be fine for personal email, but it's not very useful in a business context. Too much end-user education required. /Per Jessen, Zürich
Re: How To Kill Spam Dead?
Dennis Kavadas wrote: most, if not all spam have spoofed addresses headers that do not resolve to a valid account on any host, that said, how is it a problem ? Tell that to my Inbox that gets 40 or 50 bounces a day from clueless admins who accept then bounce. I get info@, webmaster@, dns@ etc. Usually I just blacklist their IP's until they smarten up. And since I manage servers for over 500K users, usually they smarten up pretty quick. TMDA challenges go right in the trash, especially if it's a cmpany I want to do business with or someone I'm trying to help out. Just my $0.02 Rick
Re: How To Kill Spam Dead?
Dennis Kavadas schrieb: if i had never meet you before and if i asked you to knock on my door before barging in, would you believe that was to much to ask of you ? think about it if 1.000.000 People claim to be me , and you ask always me if i was it how do you think i react Matthias Häker
Re: How To Kill Spam Dead?
Dennis Kavadas wrote: why ? On 5/31/07, John Rudd [EMAIL PROTECTED] wrote: Per Jessen wrote: Dennis Kavadas wrote: guys, even though we use SA for tagging... the real short to long term solution is TMDA I remember one of my friends saying just that - about 5 years ago. It might be fine for personal email, but it's not very useful in a business context. Too much end-user education required. That, and TDMA is a blight upon the internet. It is at best misguided, and at worst irresponsible, to use challenge-response email systems. (this really ought to be an FAQ somewhere) Misguided: As was stated elsewhere, you're moving the burden of your anti-spam decision to another person's resources (not just their system resources, but their actual personal time). Further, this burden will ONLY be placed upon legitimate senders, as spambots wont see the challenge and direct-spammers will either ignore it or catalog it. So, it's essentially a tax upon legitimate senders. That's stupid (and there aren't many things I outright call stupid). Irresponsible: Challenge-Response anti-spam email systems are a perfect vector for implementing a joe-job style denial of service. Consider that if challenge-response/TDMA systems become widespread, say one million users. Now lets say a spam goes out that claims to be from [EMAIL PROTECTED], and domain.tld doesn't have anything in place like SPF, DK, nor DKIM (or if they have SPF, it's in done in a way that's exploitable and thus useless but keeps them from being blocked for not having an SPF record). So, now [EMAIL PROTECTED] is about to get a flood of a million challenge messages. Probably within a few seconds. Even if these don't reach his own account because of his own challege-reponse system, they WILL hit his mail server. One million extra email messages (above and beyond usual production email rate) in a few seconds is nothing to dismiss. Most email services would be overwhelmed by that. And the potential flood is even higher if more people adopt the technology. And, remember what I said above about spammers might catalog those challenge-response messages? There's a growing overlap between spam senders and organized crime. The very people who might use their botnet to send spam might turn around and use it to leverage a list of known challenge-response users to get them to be the source of a distributed denial of service attack. Challenge-response systems are just ripe for abuse by 3rd parties. Using them is allowing you and your resources to be ripe for abuse, and is therefore irresponsible.
Re: How To Kill Spam Dead?
Dennis Kavadas wrote: if i had never meet you before and if i asked you to knock on my door before barging in, would you believe that was to much to ask of you ? If you are a business or someone looking for help, you either have an open door policy or you asked for someone to help you out. Asking them to knock first is just rude and, in the case of businesses, standing in the way of doing business, since your clients can not easily get a hold of you. Rick
Re: How To Kill Spam Dead?
Terrible analogy. How often do you get a million people all knocking on your door at once? Dennis Kavadas wrote: if i had never meet you before and if i asked you to knock on my door before barging in, would you believe that was to much to ask of you ? On 6/1/07, jdow [EMAIL PROTECTED] wrote: From: Per Jessen [EMAIL PROTECTED] Dennis Kavadas wrote: guys, even though we use SA for tagging... the real short to long term solution is TMDA I remember one of my friends saying just that - about 5 years ago. It might be fine for personal email, but it's not very useful in a business context. Too much end-user education required. TMDA involves challenge/response. I ***NEVER*** reply to spam. A challenge, from a challenge response system is spam. Hence I ***NEVER*** reply to challenges. I have rerouted messages to idiots who use it to tell them that their email host is broken and is very unlikely to allow mail from me through. I suggest they get a real mail service.
Re: How To Kill Spam Dead?
If your assumption here were true, joe-job attacks would be practically unheard-of. And for it to be a successful joe-job attack, the sending account doesn't have to exist, only the sending mail domain has to exist. Dennis Kavadas wrote: most, if not all spam have spoofed addresses headers that do not resolve to a valid account on any host, that said, how is it a problem ? On 5/31/07, Matt Kettler [EMAIL PROTECTED] wrote: John Rudd wrote: Per Jessen wrote: Dennis Kavadas wrote: guys, even though we use SA for tagging... the real short to long term solution is TMDA I remember one of my friends saying just that - about 5 years ago. It might be fine for personal email, but it's not very useful in a business context. Too much end-user education required. That, and TDMA is a blight upon the internet. It is at best misguided, and at worst irresponsible, to use challenge-response email systems. Agreed. Challenge response systems attempt to solve the problem of spam by forwarding it to someone else and hoping they'll use good judgment for you and only approve mail they actually sent. You're turning your spam problems into theirs. The problem boils down to forged spam emails. If you're using TMDA and a forged spam comes in, your TMDA system in-turn spams that victim of forgery. After spaming them, you're hoping that they'll be nice and delete the message for you, because you're too lazy to do it yourself. My question is, why should I not activate the spam, after your TMDA system has chosen to intrude on MY mailbox in an attempt to solve YOUR spam problems? Do I have any prior agreement with you to perform this task properly? Are you paying me for my time? Oh, that's right, you're not paying me, nor have you previously asked me if it's ok to do this to my mailbox, so I'm free to do as I please.. Well then, who am I to stop you from getting advertisements you might actually want? *click* Seriously, I take this approach to every TMDA challenge I get. I encourage everyone to do the same. It is not your responsibility to filter people's spam for them, so take the time and return the problem back to its original owner.
How to avoid filtering twice when having mail-groups
Hi all, I'm using SpamAssassin 3.0.2 and Qmail on a Debian Sarge Server. Administrative hosting panel is Plesk 8.1. Imagine the following situation: [EMAIL PROTECTED] forwards to [EMAIL PROTECTED], [EMAIL PROTECTED],... Now if SpamAssassin checks [EMAIL PROTECTED] and each user has enabled spam filtering too, SpamAssassin will filter the same message once for mailgroup@ and then once again for each user. We'll get: 1 + #users scans. If I disable scanning of mailgroup@, we'll get #user scans for the very same message. What I would like to have: SpamAssassin scans for mailgroup@ and when the very same message has to be scanned for each user, SpamAssassin remembers that this message has already been scanned seconds ago and doesn't scan it again. SpamAssassin sometimes needs 15 seconds to process a message, so you can imagine that this will save much time and ressources for mailgroups with many recipients. Any chance to get this working? Thanks in advance. -- Cheers, Manu
Re: How To Kill Spam Dead?
From: Rick Macdougall [EMAIL PROTECTED]
Dennis Kavadas wrote:
if i had never meet you before and if i asked you to knock on my door
before barging in, would you believe that was to much to ask of you ?
If you are a business or someone looking for help, you either have an open
door policy or you asked for someone to help you out.
Asking them to knock first is just rude and, in the case of businesses,
standing in the way of doing business, since your clients can not easily
get a hold of you.
Actually the situation is the reverse of the stranger at the door situation.
THEY are the stranger to whom I am replying. I've not hit a corporation
stupid enough to turn me away with a C/R.
All the C/R's I have experienced are from ME answering THEIR email. That
in NO WAY matches the stranger at the door. HE is the stranger at the door
not me. Most of the C/Rs have been to messages on mailing lists. That is
as utterly unfriendly as you can get. And, again, HE is the stranger at the
door
I was trying to help.
That level of rudeness does not set well with me. Call me a crotchety old
bitch if you want. But I will continue to reject C/R, often with extreme
prejudice,
into the foreseeable future.
{^_^}
Re: How To Kill Spam Dead?
Dennis Kavadas wrote: most, if not all spam have spoofed addresses headers that do not resolve to a valid account on any host, that said, how is it a problem ? Really? How are you so sure of this? Read up on the term joe job.
Re: OBSCURED_EMAIL ?
From: Kelson [EMAIL PROTECTED]
Per Jessen wrote:
Theo Van Dinter wrote:
On Thu, May 31, 2007 at 09:46:56AM +0200, Per Jessen wrote:
I've been looking at what a rot13'ed email-address looks like, and it
doesn't come close to matching the pattern above.
rot13 is a common/well-defined version of a single substitution
cipher. This rule tries to match those, not the rot13 a-m - n-z
mapping specifically.
Then why is the pattern very specific wrt '^' and '(' ?
Because it's very common (or at least was at one time) for spammers to
rot13 the target addresses and then do those specific substitutions.
Or base64 or other obvious but not rot13 encodings are often used.
{^_^}
Re: How To Kill Spam Dead?
Dennis Kavadas wrote: most, if not all spam have spoofed addresses headers that do not resolve to a valid account on any host Tell that to the thousands of our clients who have to deal with the bouncebacks and other junk -- Mr Michele Neylon Blacknight Solutions Hosting Colocation, Brand Protection http://www.blacknight.ie/ http://blog.blacknight.ie/ Tel. 1850 927 280 Intl. +353 (0) 59 9183072 UK: 0870 163 0607 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763
Re: How To Kill Spam Dead?
think about it if 1.000.000 People claim to be me , and you ask always me if i was it how do you think i react I did run into what I consider to be a responsible C/R system today-- this is the NDR generated by my own mail server: This message was created automatically by mail delivery software. A message that you sent could not be delivered to one or more of its recipients. This is a permanent error. The following address(es) failed: obfuscated@obfuscated.com SMTP error from remote mail server after end of data: host obfuscated [000.00.000.00]: 550 POSSIBLE SPAM! CLICK HERE TO DELIVER: http://33.4mail.com/l/?uniqueIDhere So what their server is doing is fakerejecting the message after DATA, then quarantining it and giving the release URL as part of the SMTP transaction. This eliminates my major objection to C/R: the challenge goes to the host that attempted to send the message and not to the (probably forged) return-address. No backscatter, no joejob potential. The only problem I see is that some MTAs may clean up the message until it's unrecognizable. -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com ...Life is not a journey to the grave with the intention of arriving safely in one pretty and well-preserved piece, but to slide across the finish line broadside, thoroughly used up, worn out, leaking oil, and shouting GERONIMO!!! -- Bill McKenna
Re: How To Kill Spam Dead?
jdow wrote:
From: Rick Macdougall [EMAIL PROTECTED]
Dennis Kavadas wrote:
if i had never meet you before and if i asked you to knock on my
door before barging in, would you believe that was to much to ask of
you ?
If you are a business or someone looking for help, you either have an
open door policy or you asked for someone to help you out.
Asking them to knock first is just rude and, in the case of
businesses, standing in the way of doing business, since your clients
can not easily get a hold of you.
Actually the situation is the reverse of the stranger at the door
situation.
THEY are the stranger to whom I am replying. I've not hit a corporation
stupid enough to turn me away with a C/R.
All the C/R's I have experienced are from ME answering THEIR email. That
in NO WAY matches the stranger at the door. HE is the stranger at the
door
not me. Most of the C/Rs have been to messages on mailing lists. That is
as utterly unfriendly as you can get. And, again, HE is the stranger
at the door
I was trying to help.
That level of rudeness does not set well with me. Call me a crotchety old
bitch if you want. But I will continue to reject C/R, often with
extreme prejudice,
into the foreseeable future.
{^_^}
Heh, I think I love you :)
Rick
Re: How To Kill Spam Dead?
i think we all need to read the TMDA FAQ ! :-)
On 6/1/07, Rick Macdougall [EMAIL PROTECTED] wrote:
jdow wrote:
From: Rick Macdougall [EMAIL PROTECTED]
Dennis Kavadas wrote:
if i had never meet you before and if i asked you to knock on my
door before barging in, would you believe that was to much to ask of
you ?
If you are a business or someone looking for help, you either have an
open door policy or you asked for someone to help you out.
Asking them to knock first is just rude and, in the case of
businesses, standing in the way of doing business, since your clients
can not easily get a hold of you.
Actually the situation is the reverse of the stranger at the door
situation.
THEY are the stranger to whom I am replying. I've not hit a corporation
stupid enough to turn me away with a C/R.
All the C/R's I have experienced are from ME answering THEIR email. That
in NO WAY matches the stranger at the door. HE is the stranger at the
door
not me. Most of the C/Rs have been to messages on mailing lists. That is
as utterly unfriendly as you can get. And, again, HE is the stranger
at the door
I was trying to help.
That level of rudeness does not set well with me. Call me a crotchety
old
bitch if you want. But I will continue to reject C/R, often with
extreme prejudice,
into the foreseeable future.
{^_^}
Heh, I think I love you :)
Rick
Re: How To Kill Spam Dead?
On Thursday 31 May 2007, John D. Hardin wrote: On Thu, 31 May 2007, Rick Macdougall wrote: jdow wrote: That level of rudeness does not set well with me. Call me a crotchety old bitch if you want. But I will continue to reject C/R, often with extreme prejudice, into the foreseeable future. Heh, I think I love you :) +1 The line forms over there, way over there. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It is not the business of government to make men virtuous or religious, or to preserve the fool from the consequences of his own folly. -- Henry George --- 523 days until the Presidential Election -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) We have a equal opportunity Calculus class -- it's fully integrated.
Re: How To Kill Spam Dead?
On Thu, 31 May 2007, Rick Macdougall wrote: jdow wrote: That level of rudeness does not set well with me. Call me a crotchety old bitch if you want. But I will continue to reject C/R, often with extreme prejudice, into the foreseeable future. Heh, I think I love you :) +1 -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- It is not the business of government to make men virtuous or religious, or to preserve the fool from the consequences of his own folly. -- Henry George --- 523 days until the Presidential Election
Re: How To Kill Spam Dead?
I've read it in the past. What part do you think changes the issues
being raised about challenge-response systems?
Dennis Kavadas wrote:
i think we all need to read the TMDA FAQ ! :-)
On 6/1/07, Rick Macdougall [EMAIL PROTECTED] wrote:
jdow wrote:
From: Rick Macdougall [EMAIL PROTECTED]
Dennis Kavadas wrote:
if i had never meet you before and if i asked you to knock on my
door before barging in, would you believe that was to much to ask of
you ?
If you are a business or someone looking for help, you either have an
open door policy or you asked for someone to help you out.
Asking them to knock first is just rude and, in the case of
businesses, standing in the way of doing business, since your clients
can not easily get a hold of you.
Actually the situation is the reverse of the stranger at the door
situation.
THEY are the stranger to whom I am replying. I've not hit a corporation
stupid enough to turn me away with a C/R.
All the C/R's I have experienced are from ME answering THEIR email. That
in NO WAY matches the stranger at the door. HE is the stranger at the
door
not me. Most of the C/Rs have been to messages on mailing lists. That is
as utterly unfriendly as you can get. And, again, HE is the stranger
at the door
I was trying to help.
That level of rudeness does not set well with me. Call me a crotchety
old
bitch if you want. But I will continue to reject C/R, often with
extreme prejudice,
into the foreseeable future.
{^_^}
Heh, I think I love you :)
Rick
Re: How To Kill Spam Dead?
Dennis Kavadas wrote: i think we all need to read the TMDA FAQ ! :-) I have read the entire general section. None of it seems to address any of the concerns about TMDA posted by me or anyone else on this list. The only part that's even vaguely relevant to this discussion are sections 1.1 and 1.5. To the extent that these address any of the problems with TMDA, they merely deny they exist. However, both are minor problems, as they affect the person behind the TMDA, not everyone else, so I really don't care. However, none of the FAQ seems to deal with the real issues with TMDA. Impact on the rest of the world. It all boils down to the basic problem that TMDA is a spam generating system that exacerbates and amplifies the power of joe-jobs. In the case of forged-from spam messages you're sending unsolicited email to an uninterested third party. The vast majority of spam runs do use real addresses. They try not to nonexistent junk addresses, because these are always caught in simple call-back filters. Spammers generally use addresses out of their email database for both To: and From: addresses. Many of these are undeliverable due to being old, but spammers do generally try to use real return addresses. Anyone telling you spammers only or mostly use bogus return addresses either hasn't studied spam extensively or is deluding themselves. Pulling the first spam off the top of NANAS: From: Poste Italiane [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] This is a real commercial site's info contact. http://www.poste.it/azienda/posterisponde/ Gee, I didn't have to try hard to find one that I could confirm as an innocent joe.. As for reading material, I think you need to read the SpamCop Listing criteria: http://www.spamcop.net/fom-serve/cache/14.html Note that any misdirected challenge/response can get you blacklisted in spamcop. ie: if a spammer sends you mail with my address in the return-path and you challenge, your server is now qualified to be spamcop blacklisted. There's a reason for this. You've just spammed someone. I also think you should consider reading: http://kmself.home.netcom.com/Rants/challenge-response.html While it is a rant, it does outline the problems involved in challenge-response systems quite well. TMDA is immune to a few of them, however, TMDA is: Definitely Subject to 0, 2, 6, and 11. Please address these. Subject to 1,4,5, and 9, but the merits here are debatable so they can be ignored as far as I'm concerned. Immune or largely immune to 7. Subject to 8, but the presented argument only applies to people who don't remember what they've sent. Can be made immune to 10, but involves manual whitelisting. Immune to 3 if you run your own, subject if you outsource but the same goes for outsourcing anything.
Re: error msg from sa-update every morning
Gene Heskett wrote: On Thursday 31 May 2007, Daryl C. W. O'Shea wrote: Jason Bertoch wrote: On Thursday, May 31, 2007 9:42 AM Gene Heskett wrote: Greetings all; The error message is: /etc/cron.daily/sa-update: [28045] warn: netset: cannot include 127/8 as it has already been included It sounds like a reference to the trusted_networks setting. Some changes were made to automatically include the localhost network, so you no longer need to specify it yourself. Yes... as noted in the first item in the UPGRADE document and included in the release announcement. Erm, yum nor smart apparently never took that bus. And the release announce has probably been expired off my local corpus of email by now. url please? Linked from the main page of the website: http://spamassassin.apache.org/doc.html
Re: error msg from sa-update every morning
Gene Heskett wrote: On Thursday 31 May 2007, Jason Bertoch wrote: On Thursday, May 31, 2007 9:42 AM Gene Heskett wrote: Greetings all; The error message is: /etc/cron.daily/sa-update: [28045] warn: netset: cannot include 127/8 as it has already been included It sounds like a reference to the trusted_networks setting. Some changes were made to automatically include the localhost network, so you no longer need to specify it yourself. Here is the only reference to 'localhost' that grep can find, in this case in /etc/mail/spamassassin/*: [EMAIL PROTECTED] spamassassin]# grep localhost * 70_sare_header2.cf:headerSARE_RECV_LOCALHOST Received =~ /localhosts\.txt/i 70_sare_header.cf:headerSARE_RECV_LOCALHOST Received =~ /localhosts\.txt/i So I should nuke those 2 lines? Or just one, in which case which one? Neither. The warning is about a superfluous 127/8 in either a trusted_networks or internal_networks line. Daryl
Re: OBSCURED_EMAIL ?
Per Jessen wrote: To me it's a pretty much moot point - OBSCURED_EMAIL with its 1.6points is of little use. I would certainly suggest reducing the default score to a lot less. (are there really other single substitution methods in common use that translate '@' to '^' ?) Yeah -- that would be the reason why there's a rule to look for such a thing. We don't just make rules up for the hell of it. Daryl
