Catch all addresses and failure/undeliverable notification messages

[smeevil]

Hello all,

I am looking for some advice regarding the following issue :

I have some domains which are using a catch all address.
On these addresses I get a lot of undeliverable / failure notices which are
theoretically legit.
Though they originate from spams spoofing the domains which makes those
messages spam in practice.

I am hoping any of you would know a solution to filter these message while
retaining the legit ones.
So far the only "solution" I can come up with is stop using catch all
address which in some cases is not feasible. 

Thank you for your time :)
Gerard.
-- 
View this message in context: 
http://www.nabble.com/Catch-all-addresses-and-failure-undeliverable-notification-messages-tf4101428.html#a11663462
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

too much spam getting through, scores too low

[Debbie D]

I am so frustrated.. updated cpanel the other day to
WHM 11.2.0 cPanel 11.6.0-C15032
FEDORA 4 i686 - WHM X v3.1.0
Exim 4.66 on a Linux box

This in turn updated SA to 3.002001 (3.2.1 I guess)
I have run sa-update, restarted exim.. and SA runs and it definitely catches 
spam.. no question there..

Exim statistics from 2007-07-15 04:06:11 to 2007-07-17 22:06:20
Received 5871
Delivered 7195
Rejects 48228
thats 66 hours and 48k spam received.. and trashed

But I am still getting way to many spams.. more than I did before the 
update -- cialis, viagra, all kinds of meds, all scoring between 0.6 and 3.5


How can these mails score that low?

I used to be able to see the rules it hit on, but can no longer see this.. 
Also I see that since the upgrade local delivered mails are not being 
scanned at all.. not that those really matter IMHO.. they come from my 
forums or forms.. The SA version header is also gone from the headers..


Other settings

Reject mail at SMTP time if the spam score from spamassassin is greater than 
10.0. [Ticked ON]

Reject messages with potentially dangerous attachments. [Ticked ON]
Rewrite messages SpamAssassin marks as spam with ***SPAM*** at the beginning 
of the subject line. [Ticked ON]


OH WAIT.. Turn on SpamAssassin for all accounts (Global ON). is NOT 
checked... and neither is use old transport system.. am I just being dumb 
blond here??
But if the global is not ON.. how is SA running? OK so I am really confused 
now



I did turn SA ON globally and am tailing the mail logs right now.. what I 
saw when SA restarted:
Jul 17 22:30:18 server spamd[7755]: rules: meta test FM__TIMES_2 has 
dependency 'FH_HOST_EQ_D_D_D_D' with a zero score
Jul 17 22:30:18 server spamd[7755]: rules: meta test FM_SEX_HOST has 
dependency 'FH_HOST_EQ_D_D_D_D' with a zero score
Jul 17 22:30:18 server spamd[7755]: rules: meta test HS_PHARMA_1 has 
dependency 'HS_SUBJ_ONLINE_PHARMACEUTICAL' with a zero score


how do I fix that??

And mails created locally from my forum and forms are still not getting 
scanned, but in the past 2+ hours the spam level of those that got through 
has decreased somewhat


The server also seems to be running at slightly higher loads (.90 - 1.50%) 
than before.. my forum is quite busy this time of night though so it is hard 
to say where that lies

thanks

Why my SA sending report to all users?

[Eny Wu]

I have just update my Spamassassin from 2.4 to 3.1.8.
It works great, however me & all my user have been receving some emails
without any headers with the following info (sample below):
--


From [EMAIL PROTECTED]   Mon Jul 16 20:09:26 2007


Return-Path: < [EMAIL PROTECTED] >

X-Spam-Checker-Version: SpamAssassin 3.1.8 (2007-02-13) on

 mail2.singapore-daiichi.com.sg

X-Spam-Level:

X-Spam-Status: No, score=-1.3 required=5.0 tests=ALL_TRUSTED,AWL

 autolearn=disabled version=3.1.8

Received: from mail.singapore-daiichi.com.sg (mail3.singapore-daiichi.com.sg
[ 192.168.12.29])

 by mail2.singapore-daiichi.com.sg (8.13.6/8.13.6) with ESMTP id
l6GC9FdZ014308

 for < [EMAIL PROTECTED]>; Mon, 16 Jul 2007 20:09:25
+0800

Received: from localhost (localhost)

 by mail.singapore-daiichi.com.sg   id l6GCEbhs027137;

 Mon, 16 Jul 2007 20:14:46 +0800

Date: Mon, 16 Jul 2007 20:14:46 +0800

From: Mail Delivery Subsystem <[EMAIL PROTECTED] >


Message-Id: <[EMAIL PROTECTED] >

To: [EMAIL PROTECTED]

MIME-Version: 1.0

Content-Type: multipart/report; report-type=delivery-status;

 boundary="l6GCEbhs027137.1184588086/mail.singapore- daiichi.com.sg "

Subject: Postmaster notify: see transcript for details

Auto-Submitted: auto-generated (postmaster-notification)



This is a MIME-encapsulated message



--l6GCEbhs027137.1184588086/mail.singapore-daiichi.com.sg



The original message was received at Mon, 16 Jul 2007 20:14:46 +0800

from localhost

with id l6GCEbhr027137



--



Is there anyway that I disable the spamassassin to send the above report? I
don't want my user to receive this message.

Some of my user also receiving empty/blank emails also.



My OS is Linux Redhat 9.

The Spamassassin version is 3.1.8 and using the procmail.

I update the spammassin through CPAN.



Thanks in advance for your help.



Eny

Re: PDFText - pdftotext from Xpdf 3.02 limitation

[JT DeLys]

So, although our goal is just, and I don't believe we are "copying" the
PDF against the spirit of this feature, I don't feel I can point out which
lines to delete in the pdftotext.cc file before recompiling it :(.

Maybe others can offer this info, or Google can help. For example :

http://www.cs.cmu.edu/~dst/Adobe/Gallery/xpdf-0.93-ro-removed.patch




Ok.  Wisely unhelpful of you.

I'll make sure not to look at / modify / use that patch!

;-)

--
Thanks,

   JTDeLys

Re: FuzzyOcr output

[JT DeLys]

It depends on the versions you have, both FuzzyOcr and perl.

The "use POSIX" is  what FO 3.5.1 currently has, and it works fine with
perl
5.8.7 and 5.8.8, but from my experience, it didn't work with 5.8.6 so I
needed
to add the "use POSIX qw(SIGTERM)" ... but don't make much of what I say,
the
SIGTERM part reminds me of another problem, with signals, and it may have
nothing to do with the redefinition of O_CREAT/O_RDWR/etc. (that's why I
included the reference, so you can read the whole thread on the bug
report).
--




Aha.

I've latest Fuzzy-dev (r132) and Perl 588.  I'll leave it alone until I
see/hear otherwise.


--
Thanks,

   JTDeLys

Re: PDFText - pdftotext from Xpdf 3.02 limitation

[James MacLean]

Hi JT,

There is the expectation that if the author requested that a PDF not be 
copied, then the PDF is not to be copied. This is done by a password 
protecting mechanism when the PDF is saved and exists in the PDF file. 
The author of Xpdf makes his position known on subverting this feature:


http://www.foolabs.com/xpdf/cracking.html

So, although our goal is just, and I don't believe we are "copying" the 
PDF against the spirit of this feature, I don't feel I can point out 
which lines to delete in the pdftotext.cc file before recompiling it :(.


Maybe others can offer this info, or Google can help. For example :

http://www.cs.cmu.edu/~dst/Adobe/Gallery/xpdf-0.93-ro-removed.patch

JES

JT DeLys wrote, on 17/07/07 10:23 PM:


Simple fix here was to compile a _special_ pdftotext to be used for
SpamAssassin that would allow parsing of these files :). 




could you share what you did that was 'special'?

config options? other?


--
Thanks,

JTDeLys 

Re: FuzzyOcr output

[René Berber]

JT DeLys wrote:

> sorry, i'm a little confused ...
> 
> iiuc, the fix applies -- at least -- to the NON-svn release.
> 
> but does it ALSO apply to the svn co? is it needed there?
> 
> currently, i have:
> 
>svn up
>At revision 132.
> 
> but, still have 'just'
>grep -i posix FuzzyOcr.pm
>   use POSIX;
> 
> not the advised,
> 
>   use POSIX qw(SIGTERM);

It depends on the versions you have, both FuzzyOcr and perl.

The "use POSIX" is  what FO 3.5.1 currently has, and it works fine with perl
5.8.7 and 5.8.8, but from my experience, it didn't work with 5.8.6 so I needed
to add the "use POSIX qw(SIGTERM)" ... but don't make much of what I say, the
SIGTERM part reminds me of another problem, with signals, and it may have
nothing to do with the redefinition of O_CREAT/O_RDWR/etc. (that's why I
included the reference, so you can read the whole thread on the bug report).
-- 
René Berber

Re: Post cart spams

[Loren Wilton]

What a dumb name for software. Does it want to assassin ClamAV?


Isn't assassinating clams against some law somewhere?

   Loren

Re: PDFText - pdftotext from Xpdf 3.02 limitation

[JT DeLys]

Simple fix here was to compile a _special_ pdftotext to be used for
SpamAssassin that would allow parsing of these files :).




could you share what you did that was 'special'?

config options? other?


--
Thanks,

   JTDeLys

Re: FuzzyOcr output

[JT DeLys]

Hi,


or you can update from SVN that module


sorry, i'm a little confused ...

iiuc, the fix applies -- at least -- to the NON-svn release.

but does it ALSO apply to the svn co? is it needed there?

currently, i have:

  svn up
  At revision 132.

but, still have 'just'
  grep -i posix FuzzyOcr.pm
 use POSIX;

not the advised,

 use POSIX qw(SIGTERM);


--
Thanks,

   JTDeLys

PDFText - pdftotext from Xpdf 3.02 limitation

[James MacLean]

Hi Folks,

Noticed that my bodies were not being parsed any more. Found out that 
SPAM was creating PDF's that are copy protected. Xpdf utils from 3.0 
will present the text, but at least 3.02 reports the file is copy 
protected and does not parse it...


Simple fix here was to compile a _special_ pdftotext to be used for 
SpamAssassin that would allow parsing of these files :).


JES

Potential DOS in spamassassin/perl-Net-DNS FW: rPSA-2007-0142-1 perl-Net-DNS

[Michael Scheidell]

Don't know if anyone has mentioned this, if so, I missed it.
Potential DOS in spamassassin if perl-Net-DNS < .60. (previously
recommended version was .58)
Freebsd ports has .60, for the last two weeks.

-Original Message-
From: rPath Update Announcements [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 17, 2007 8:12 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: rPSA-2007-0142-1 perl-Net-DNS


rPath Security Advisory: 2007-0142-1
Published: 2007-07-17
Products: rPath Linux 1
Rating: Minor
Exposure Level Classification:
Indirect User Deterministic Denial of Service
Updated Versions:
perl-Net-DNS=/[EMAIL PROTECTED]:devel//1/0.60-1-0.1

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3377
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3409
https://issues.rpath.com/browse/RPL-1537

Description:
Previous versions of the perl-Net-DNS package contained multiple
vulnerabilities: one can lead to DNS cache poisoning, and the other
can result in a Denial of Service triggered by an infinite loop.

Copyright 2007 rPath, Inc.
This file is distributed under the terms of the MIT License.
A copy is available at http://www.rpath.com/permanent/mit-license.html
_
This email has been scanned and certified safe by SpammerTrap(tm).
For Information please see http://www.spammertrap.com
_

Re: Post cart spams

[Bob McClure Jr]

On Wed, Jul 18, 2007 at 03:42:31AM +0300, Jari Fredriksson wrote:
> Bob McClure Jr wrote:
> >I installed clamassassin
> 
> What a dumb name for software. Does it want to assassin ClamAV?

I think its intention was to make ClamAV as easy to use as
SpamAssassin, and it succeeds very well.  I'd also say that's a
compliment to SA, and well deserved, indeed.

> lol
> 
> I don't know it, may be a good one though.

Cheers,
-- 
Bob McClure, Jr. Bobcat Open Systems, Inc.
[EMAIL PROTECTED] http://www.bobcatos.com
Instead of their shame my people will receive a double portion, and
instead of disgrace they will rejoice in their inheritance; and so
they will inherit a double portion in their land, and everlasting joy
will be theirs.  Isaiah 61:7 (NIV)

Re: Post cart spams

[Jari Fredriksson]

Bob McClure Jr wrote:

I installed clamassassin


What a dumb name for software. Does it want to assassin ClamAV?

lol

I don't know it, may be a good one though.

Re: FuzzyOcr output

[René Berber]

Wolfgang Zeikat wrote:

> In an older episode (Tuesday, 17. July 2007 21:43), René Berber wrote:
>> Wolfgang Zeikat wrote:
> 
>>> 2. What can I do to solve that?
>> You can add a line to FuzzyOcr.pm :
>>
>> use POSIX;
> 
> That line is already there.

Sorry, I should have said:

use POSIX qw(SIGTERM);

Reference: http://fuzzyocr.own-hero.net/ticket/16
-- 
René Berber

RE: Post cart spams

[Daniel J McDonald]

On Tue, 2007-07-17 at 15:33 -0700, John D. Hardin wrote:
> On Tue, 17 Jul 2007, Dan Barker wrote:
> 
> >>http://www.impsec.org/~jhardin/antispam/
> > 
> > I don't see it in that directory. What's the filename?
> 
> postcards.cf
> 
> It takes a short while after I send the email for the file to sync out 
> to the server.

works like a champ for me:

[EMAIL PROTECTED] ~]$ sudo grep -o -P POSTCARD.*?= /var/log/mail/info |
sort | uniq -c
444 POSTCARD_01=
That's in just 2 hours...

Thanks!

-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com

RE: Post cart spams

[John D. Hardin]

On Tue, 17 Jul 2007, Dan Barker wrote:

>>http://www.impsec.org/~jhardin/antispam/
> 
> I don't see it in that directory. What's the filename?

postcards.cf

It takes a short while after I send the email for the file to sync out 
to the server.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Where We Want You To Go Today 07/05/07: Microsoft patents in-OS
  adware architecture incorporating spyware, profiling, competitor
  suppression and delivery confirmation (U.S. Patent #20070157227)
---
 7 days until The 38th anniversary of Apollo 11 landing on the Moon

Re: FuzzyOcr output

[Wolfgang Zeikat]

In an older episode (Tuesday, 17. July 2007 21:43), René Berber wrote:
> Wolfgang Zeikat wrote:

> > 2. What can I do to solve that?
>
> You can add a line to FuzzyOcr.pm :
>
> use POSIX;

That line is already there.

>
> or you can update from SVN that module 

Thanks, I think I will test that.

wolfgang

Re: Help with some spamd errors/warnings

[Diego Pomatta]

Theo Van Dinter wrote:

On Tue, Jul 17, 2007 at 01:36:16PM -0300, Diego Pomatta wrote:
  

Now that I got the spamd log working again, I keep seeing these errors:
warn: util: secure_tmpfile failed to create file 
'/root/tmp/.spamassassin7688bq4Fdstmp': Permission denied  (many times)



What I don't get is why it can't write to /root/tmp. I've checked 
permissions and it should be able to.



is the child spamd process running as root?  does /root/tmp exist?  is there
some acl on the directory/etc ?

  

Yep, they all run as root.

[]# ps -edaf|grep spamd
root  7683 1  0 11:04 ?00:00:02 /usr/bin/perl5.8.3 -T -w 
/usr/bin/spamd -l -L -s stderr -r /var/run/spamd.pid 
--siteconfigpath=/etc/mail/spamassassin --nouser-config 
--socketpath=/tmp/spamd.sock
qmaill7684 1  0 11:04 ?00:00:00 /usr/local/bin/multilog 
t n20 s100 /var/log/spamd

root 18898  7683  0 14:26 ?00:00:05 spamd child
root 28538  7683  0 17:04 ?00:00:00 spamd child

The directory /root/tmp exists
drwxrwx---  11 root root  4096 jul 17 16:57 tmp/

[/]# getfacl root/tmp
file: root/tmp
owner: root
group: root
user::rwx
group::rwx
other::---


In any case, what can I do? is that temp file path customizable?



It uses $ENV{'TMPDIR'} or File::Spec->tmpdir() if it's not set.  According to
the POD, tmpdir() uses $ENV{'TMPDIR'} or "/tmp".  So my guess is that you
already have TMPDIR set, potentially incorrectly.
  

Yes I have:
TMP=/root/tmp
TMPDIR=/root/tmp


What impact is this having in SA performance or work?


Only non-text parts should be written out to a temp file, so it would
impact any code that looks at the non-text part data.  This should (iirc)
be limited to any third party plugins, such as FuzzyOCR, etc.

However, the first failure should be caught but apparently isn't.  Can you
open a bugzilla ticket about this?  Thanks. :)
  

Thanks for the explaination.
About the bugzilla ticket... sure, first thing in the morning tomorrow 
when I get back. ;)


/Regards

Re: Re Thoughts on Isolating Viruses - Port 587 Submission

[Richard Frovarp]

Marc Perkel wrote:



The idea is that you would close port 25 to consumers as part of the 
solution. Actually ideally all cable modems and DSL modems should 
provide NAT and have port 25 closed by default. But it should be 
settable so people who are sharp can turn off the blocking. But you 
have to be smart enough to decide to do that.


NAT is bad, mmkay?

Re: Post cart spams

[Bob McClure Jr]

On Tue, Jul 17, 2007 at 02:30:05PM -0500, Igor Chudov wrote:
> Ken, I just downloaded clamav, it seems to be a file scanning tool?
> How do you use it from procmail? Thanks a lot!
> 
> i

I installed clamassassin

http://jameslick.com/clamassassin/

and run the daemonized clamd.  Then I call it from the system
/etc/procmailrc this way:

= snip 8<-
PATH=/bin:/usr/bin:/usr/local/bin
# LOGFILE=/var/log/procmail.log
LOGFILE=/dev/null

# Virus trap
:0fw
| /usr/local/bin/clamassassin

:0
* ^X-Virus-Status: Yes
/dev/null
= snip 8<-

Of course you can divert it to some quarantine bin, instead of
/dev/null.

Be sure to set up ClamAV as daemon or stand-alone first, before you
build clamassassin.  clamassassin figures out for itself whether it
needs to call clamscan or clamdscan during the build process.

Cheers,
-- 
Bob McClure, Jr. Bobcat Open Systems, Inc.
[EMAIL PROTECTED] http://www.bobcatos.com
Instead of their shame my people will receive a double portion, and
instead of disgrace they will rejoice in their inheritance; and so
they will inherit a double portion in their land, and everlasting joy
will be theirs.  Isaiah 61:7 (NIV)

RE: Post cart spams

[Dan Barker]

"It's probably badly mangled by line wrap, so I'm also posting it here:

   http://www.impsec.org/~jhardin/antispam/";

I don't see it in that directory. What's the filename?

Dan



-Original Message-
From: John D. Hardin [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 17, 2007 3:38 PM
To: Igor Chudov
Cc: Spamassassin Mailing List
Subject: Re: Post cart spams

On Tue, 17 Jul 2007, Igor Chudov wrote:

> Anyway, it seems that a lot of these postcard spams are slipping by 
> SA. I wrote a procmail rule to catch them:
> 
> :0
> * ^Subject: you\'ve.*(greeting|ecard|postcard).*from a.* 
> $MAILDIR/rejected
> 
> (that's a folder that I do review periodically)
> 
> I would prefer, however, to use spamassassin instead of homebrew 
> procmail rules, due to fear of false positives. Any idea if there are 
> any rules that I am missing that would help?

Here's what I am using:

describe POSTCARD_01 You got a postcard!
header   POSTCARD_01 Subject =~ /You(?:'ve| have) (?:received )?an? 
(?:new )?(?:greeting |anonymous )?(?:postcard|e?card) from an? 
(?:admirer|colleague|family
member|friend|mate|neighbou?r|partner|(?:class|school).?(?:friend|mate)|wors
hipper|anonymous|buddy)/i
scorePOSTCARD_01 2.50

It's probably badly mangled by line wrap, so I'm also posting it here:

   http://www.impsec.org/~jhardin/antispam/

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Where We Want You To Go Today 07/05/07: Microsoft patents in-OS
  adware architecture incorporating spyware, profiling, competitor
  suppression and delivery confirmation (U.S. Patent #20070157227)
---
 7 days until The 38th anniversary of Apollo 11 landing on the Moon

Re: FuzzyOcr output

[René Berber]

Wolfgang Zeikat wrote:

> in a test installation of FuzzyOcr 3.5.1 in SA 3.1.8 I get the following
> output when running spamassassin < some_message on the command line:
> 
> Subroutine FuzzyOcr::O_CREAT redefined at
> /usr/lib/perl5/5.8.5/Exporter.pm line 65.
>  at /usr/lib/perl5/5.8.5/i386-linux-thread-multi/POSIX.pm line 19
> Subroutine FuzzyOcr::O_EXCL redefined at
> /usr/lib/perl5/5.8.5/Exporter.pm line 65.
>  at /usr/lib/perl5/5.8.5/i386-linux-thread-multi/POSIX.pm line 19
> Subroutine FuzzyOcr::O_RDWR redefined at
> /usr/lib/perl5/5.8.5/Exporter.pm line 65.
>  at /usr/lib/perl5/5.8.5/i386-linux-thread-multi/POSIX.pm line 19
> 
> 1. Is that anything to worry about that should keep me from installing
> that on our productive machines?
> 
> 2. What can I do to solve that?

You can add a line to FuzzyOcr.pm :

use POSIX;

or you can update from SVN that module (along with changes to Scoring.pm, it
solves the unformatted report problem).
-- 
René Berber

Re: Re Thoughts on Isolating Viruses - Port 587 Submission

[Kelson]

John Rudd wrote:
1) Some viruses already know they can put their outbound messages into 
the Outlook outbound folder.


2) Viruses can/will adapt by figuring out how to leverage stored 
SMTP-AUTH configurations.  They can probably pick 3 or 4 implementations 
to target (Outlook, Thunderbird, Mail, and Eudora) and still be 
incredibly effective.


Agreed on these two points, but...

3) This doesn't stop a virus on a laptop from still hitting port 25 on 
your server, or on other people's servers, when they are roaming away 
from your controlled networks.


This is the equivalent of saying it won't help to close your own open 
relay because a spammer/virus can always just use someone else's.


4) And then there's all of those mail servers that run on port 2525 to 
get around these kinds of restrictions.  And if you block 2525, they'll 
find a new one to use.


Um... so?  If someone tries to send out spam or a virus on port 2525, 
who are they going to reach?  How many potential victims are *listening* 
on port 2525?  Somewhere along the line they're going to have to get to 
a friendly/pwned relay that will send out on port 25.  Anything up to 
that point is just shuffling things around inside the botnet.


--
Kelson Vibber
SpeedGate Communications 

Re: Post cart spams

[Ken A]

Igor Chudov wrote:

Ken, I just downloaded clamav, it seems to be a file scanning tool?
How do you use it from procmail? Thanks a lot!

i



sorry. I don't know how to use from procmail, but if you want to scan 
for viruses, read the install docs.


--
Ken Anderson
Pacific.Net

Re: Post cart spams

[Loren Wilton]

Ken, I just downloaded clamav, it seems to be a file scanning tool?
How do you use it from procmail? Thanks a lot!


While you can do that, I think he meant to use it from SA instead, and get 
the 10 point score for these "virus" attempts.


   Loren

Re: Post cart spams

[John D. Hardin]

On Tue, 17 Jul 2007, Igor Chudov wrote:

> Anyway, it seems that a lot of these postcard spams are slipping by
> SA. I wrote a procmail rule to catch them: 
> 
> :0
> * ^Subject: you\'ve.*(greeting|ecard|postcard).*from a.*
> $MAILDIR/rejected
> 
> (that's a folder that I do review periodically) 
> 
> I would prefer, however, to use spamassassin instead of homebrew
> procmail rules, due to fear of false positives. Any idea if there
> are any rules that I am missing that would help?

Here's what I am using:

describe POSTCARD_01 You got a postcard!
header   POSTCARD_01 Subject =~ /You(?:'ve| have) (?:received )?an? 
(?:new )?(?:greeting |anonymous )?(?:postcard|e?card) from an? 
(?:admirer|colleague|family 
member|friend|mate|neighbou?r|partner|(?:class|school).?(?:friend|mate)|worshipper|anonymous|buddy)/i
scorePOSTCARD_01 2.50

It's probably badly mangled by line wrap, so I'm also posting it here:

   http://www.impsec.org/~jhardin/antispam/

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Where We Want You To Go Today 07/05/07: Microsoft patents in-OS
  adware architecture incorporating spyware, profiling, competitor
  suppression and delivery confirmation (U.S. Patent #20070157227)
---
 7 days until The 38th anniversary of Apollo 11 landing on the Moon

Re: Post cart spams

[Duane Hill]

On Tue, 17 Jul 2007 at 14:15 -0500, [EMAIL PROTECTED] confabulated:


I am receiving a huge amount of these spams:

http://igor.chudov.com/tmp/postcard-spam.txt

Just how much I got is totally incredible. I am afraid that the reason
for the sheer quantity is that I actually did check out the
website. (I assume a hacked computer)

I knew full well that it was a bad site. But I was not afraid since I
used Linux. This is some sort of a windows exploit, using metafile
holes and asking to run an .exe.

But I guess the unique id embedded in the URL noted that I reacted to
this spam, so I am getting a lot.

Anyway, it seems that a lot of these postcard spams are slipping by
SA. I wrote a procmail rule to catch them:

:0
* ^Subject: you\'ve.*(greeting|ecard|postcard).*from a.*
$MAILDIR/rejected

(that's a folder that I do review periodically)

I would prefer, however, to use spamassassin instead of homebrew
procmail rules, due to fear of false positives. Any idea if there are
any rules that I am missing that would help?


I just ran that message through the install on our filter servers and it 
scored right at 5.0. I've seen a lot being trapped as well. There are a 
very few that slip by.


X-Spam-Status: Reqd:5.0 Hits:5.0 Learn:disabled Tests:DATE_IN_PAST_96_XX=2.32,
  HS_INDEX_PARAM=0.001,NORMAL_HTTP_TO_IP=0.001,STOX_REPLY_TYPE=0.001,
  TVD_FINGER_02=2.72


---
  _|_
 (_| |

Re: is it true about donations?

[Daryl C. W. O'Shea]

Gene Heskett wrote:

I believe the major reason it doesn't work is related to the PayPal TOS.  
There have been quite a few projects such as this one that have benefitted me 
directly, and I am willing to donate a small "Hey, great stuff, I appreciate 
it" message that people could "take to the corner ice cream store".

[snip]
All I do know is that there really should be a direct "from me to you" funds 
transfer path that works as well as me handing that $20 bill to you in 
person.  The feasability is the next thing to determine...


While not a way to send cash, the Amazon wishlists some of the 
developers have at least guarantee that it's probably something they 
want.  I believe most of the wishlists have at least some stuff starting 
around $10.


http://svn.apache.org/viewvc/spamassassin/trunk/CREDITS?view=markup

I'm not sure how well these work either, though... I don't know if 
anyone has ever received anything from their wishlists.  A few years ago 
I got a book, but that was for spending the better part of a week 
monitoring and fixing (a bug in) a user's spamd server (that they were 
using to sell filtering services).



Daryl

Re: Post cart spams

[Jari Fredriksson]

Igor Chudov wrote:

Ken, I just downloaded clamav, it seems to be a file scanning tool?
How do you use it from procmail? Thanks a lot!

i


You can use it via Amavis (amavisd-new), or directly via SpamAssassin with 
it's clamv-plugin.


Amavis puts the messages to guarantine folder, and it shows up as virus.

SA-plugin adds spam points to the message and it shows up as spam. 

Re: Anyone getting 'OOO" e-mails from Charles Mount?

[Loren Wilton]

Just posted to the list, and got a bounce from Charles Mount. Not 100% 
sure it's from this list though.


Anyone else?


Yup.



"I will be out of the office starting  07/16/2007 and will not return 
until

07/18/2007.

I will be out of the office until July 6.  I will respond to your message
when I return."

Huh? 

Re: Post cart spams

[Igor Chudov]

Ken, I just downloaded clamav, it seems to be a file scanning tool?
How do you use it from procmail? Thanks a lot!

i

Re: is it true about donations?

[Loren Wilton]

A 2 digit check, on a 5 digit account shouldn't be that big a deal, but 
with

PayPal in the handling chain, that 2 digit check has the possibility of
turning into an empty account, and that's so not going to happen.


1.Get yourself a VisaBucks debit card from some bank providing the 
service.  Transfer in the maximum $500.  (Or $23.72 if you prefer.)

2.Get a Paypal account and attach it to that "credit" card.
3.Use the Paypal button.  Assuming that they are immoral, they can drain 
the account for the entire $23.72 in it.


   Loren

Re: Post cart spams

[Ken A]

Igor Chudov wrote:

I am receiving a huge amount of these spams:

http://igor.chudov.com/tmp/postcard-spam.txt

Just how much I got is totally incredible. I am afraid that the reason
for the sheer quantity is that I actually did check out the
website. (I assume a hacked computer)

I knew full well that it was a bad site. But I was not afraid since I
used Linux. This is some sort of a windows exploit, using metafile
holes and asking to run an .exe.

But I guess the unique id embedded in the URL noted that I reacted to
this spam, so I am getting a lot. 


Anyway, it seems that a lot of these postcard spams are slipping by
SA. I wrote a procmail rule to catch them: 


:0
* ^Subject: you\'ve.*(greeting|ecard|postcard).*from a.*
$MAILDIR/rejected

(that's a folder that I do review periodically) 


I would prefer, however, to use spamassassin instead of homebrew
procmail rules, due to fear of false positives. Any idea if there are
any rules that I am missing that would help?

i



clamav is catching these, fwiw.

--
Ken Anderson
Pacific.Net

Post cart spams

[Igor Chudov]

I am receiving a huge amount of these spams:

http://igor.chudov.com/tmp/postcard-spam.txt

Just how much I got is totally incredible. I am afraid that the reason
for the sheer quantity is that I actually did check out the
website. (I assume a hacked computer)

I knew full well that it was a bad site. But I was not afraid since I
used Linux. This is some sort of a windows exploit, using metafile
holes and asking to run an .exe.

But I guess the unique id embedded in the URL noted that I reacted to
this spam, so I am getting a lot. 

Anyway, it seems that a lot of these postcard spams are slipping by
SA. I wrote a procmail rule to catch them: 

:0
* ^Subject: you\'ve.*(greeting|ecard|postcard).*from a.*
$MAILDIR/rejected

(that's a folder that I do review periodically) 

I would prefer, however, to use spamassassin instead of homebrew
procmail rules, due to fear of false positives. Any idea if there are
any rules that I am missing that would help?

i

Re: Re Thoughts on Isolating Viruses - Port 587 Submission

[John Rudd]

Marc Perkel wrote:


This would isolate
viruses and if you can create some significant isolation then the bot 
armies die out. Viruses is something that can be beaten.




And as people have been pointing out to you, this wont defeat the viruses.


1) Some viruses already know they can put their outbound messages into 
the Outlook outbound folder.


2) Viruses can/will adapt by figuring out how to leverage stored 
SMTP-AUTH configurations.  They can probably pick 3 or 4 implementations 
to target (Outlook, Thunderbird, Mail, and Eudora) and still be 
incredibly effective.


3) This doesn't stop a virus on a laptop from still hitting port 25 on 
your server, or on other people's servers, when they are roaming away 
from your controlled networks.


4) And then there's all of those mail servers that run on port 2525 to 
get around these kinds of restrictions.  And if you block 2525, they'll 
find a new one to use.



If what you want is to keep inside IPs from talking to remote SMTP ports 
(which is different from saying you want to keep customers from talking 
to port 25), then you're going to need to put up a protocol filtering 
firewall that looks at each session to figure out if any of them conform 
to the SMTP protocol (no matter what port its on) and then interrupts 
the connection when it finds one.  Or, you could have it proxy the 
connection to your own SMTP server.


If you want to stop viruses, then you need to run a virus and/or 
attachment scanner on all of the traffic you're concerned about, no 
matter what its end points are.



The things you're talking about really address the former (and in a poor 
fashion), and don't really address the latter ... yet you're doing it 
under the guise of the latter.

is this known as Bayes poisin

[Jean-Paul Natola]

Content analysis details:   (3.1 points, 5.0 required)
pts rule name  description
 --
--
-2.6 BAYES_00   BODY: Bayesian spam probability is 0 to
1%
[score: 0.0027]
0.2 DNS_FROM_RFC_ABUSE RBL: Envelope sender in
abuse.rfc-ignorant.org
1.6 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in
bl.spamcop.net
[Blocked - see ]
3.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
[64.115.25.140 listed in zen.spamhaus.org]

This is one of those  stock emails








Jean-Paul Natola
Network Administrator
Information Technology
Family Care International
588 Broadway Suite 503
New York, NY 10012
Phone:212-941-5300 xt 36
Fax:  212-941-5563
Mailto: [EMAIL PROTECTED]

Re: Help with some spamd errors/warnings

[Theo Van Dinter]

On Tue, Jul 17, 2007 at 01:36:16PM -0300, Diego Pomatta wrote:
> Now that I got the spamd log working again, I keep seeing these errors:
> warn: util: secure_tmpfile failed to create file 
> '/root/tmp/.spamassassin7688bq4Fdstmp': Permission denied  (many times)
> 
> and then...
> 
> warn: print() on closed filehandle $tmpfile at 
> /usr/lib/perl5/5.8.3/i386-linux-thread-multi/IO/Handle.pm line 399, 
>  line 929.
> warn: seek() on closed filehandle $tmpfile at 
> /usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/Message/Node.pm line 305.
> 
> ...and some more. which I assume are consequence of the first one.

yep.

> What I don't get is why it can't write to /root/tmp. I've checked 
> permissions and it should be able to.

is the child spamd process running as root?  does /root/tmp exist?  is there
some acl on the directory/etc ?

> In any case, what can I do? is that temp file path customizable?

It uses $ENV{'TMPDIR'} or File::Spec->tmpdir() if it's not set.  According to
the POD, tmpdir() uses $ENV{'TMPDIR'} or "/tmp".  So my guess is that you
already have TMPDIR set, potentially incorrectly.

> What impact is this having in SA performance or work?

Only non-text parts should be written out to a temp file, so it would
impact any code that looks at the non-text part data.  This should (iirc)
be limited to any third party plugins, such as FuzzyOCR, etc.

However, the first failure should be caught but apparently isn't.  Can you
open a bugzilla ticket about this?  Thanks. :)

-- 
Randomly Selected Tagline:
"True hackers don't die, their ttl expires" - Unknown


pgpGSknL2XkWS.pgp
Description: PGP signature

Re: Re Thoughts on Isolating Viruses - Port 587 Submission

[Marc Perkel]

John Rudd wrote:

Robert - eLists wrote:



What stops your customers from submitting to port 25 on your port 25
machines, when they're out roaming (ie. not on an IP address from which
you have blocked port 25 traffic)?



What stops them from submitting on port 25 is admin-ing it so that 
"no smtp

auth" is available on port 25



That wont stop them from submitting on port 25.  That will stop them 
from relaying through port 25.  So this wont "isolate viruses", as the 
virus can still run rampant through your own user base.


Really.  This isn't an anti-virus solution.  It's an anti-relaying 
solution.




The idea is that you would close port 25 to consumers as part of the 
solution. Actually ideally all cable modems and DSL modems should 
provide NAT and have port 25 closed by default. But it should be 
settable so people who are sharp can turn off the blocking. But you have 
to be smart enough to decide to do that.


The idea is that most people using email are dumb consumers who don't 
know and don't care what a port is. And if the world were set up by 
default to let them talk on port 587 to their SMTP server then they 
don't need to know they don't have port 25 access. This would isolate 
viruses and if you can create some significant isolation then the bot 
armies die out. Viruses is something that can be beaten.

RE: Re Thoughts on Isolating Viruses - Port 587 Submission

[Robert - eLists]

> 
> 
> That wont stop them from submitting on port 25.  That will stop them
> from relaying through port 25.  So this wont "isolate viruses", as the
> virus can still run rampant through your own user base.
> 
> Really.  This isn't an anti-virus solution.  It's an anti-relaying
> solution.

John

I haven't gone back and looked at Perkel's OP.

Just cause you knock on port 25 doesn't mean the email is accepted.

I think we are arguing terminology here now.

In general we do not accept and keep anything on 25 that isn't looked over
and allowed.

i.e. we smtp reject that which we do not allow.

So, then comes up the difference between port 25 relay or not.

i.e. local or not.

Non local email must be relayed somehow.

I think you are correct about relay issue yet not about how port 25 must be
engineered and implemented vrs other smtp port possibilities.

 - rh

FuzzyOcr output

[Wolfgang Zeikat]

Hi,

in a test installation of FuzzyOcr 3.5.1 in SA 3.1.8 I get the following 
output when running spamassassin < some_message on the command line:


Subroutine FuzzyOcr::O_CREAT redefined at 
/usr/lib/perl5/5.8.5/Exporter.pm line 65.

 at /usr/lib/perl5/5.8.5/i386-linux-thread-multi/POSIX.pm line 19
Subroutine FuzzyOcr::O_EXCL redefined at 
/usr/lib/perl5/5.8.5/Exporter.pm line 65.

 at /usr/lib/perl5/5.8.5/i386-linux-thread-multi/POSIX.pm line 19
Subroutine FuzzyOcr::O_RDWR redefined at 
/usr/lib/perl5/5.8.5/Exporter.pm line 65.

 at /usr/lib/perl5/5.8.5/i386-linux-thread-multi/POSIX.pm line 19

1. Is that anything to worry about that should keep me from installing 
that on our productive machines?


2. What can I do to solve that?

Regards,

wolfgang

Help with some spamd errors/warnings

[Diego Pomatta]

Hey all,

Now that I got the spamd log working again, I keep seeing these errors:
warn: util: secure_tmpfile failed to create file 
'/root/tmp/.spamassassin7688bq4Fdstmp': Permission denied  (many times)


and then...

warn: print() on closed filehandle $tmpfile at 
/usr/lib/perl5/5.8.3/i386-linux-thread-multi/IO/Handle.pm line 399, 
 line 929.
warn: seek() on closed filehandle $tmpfile at 
/usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/Message/Node.pm line 305.
warn: readline() on closed filehandle $tmpfile at 
/usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/Message/Node.pm line 307.
warn: Use of uninitialized value in substitution (s///) at 
/usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/Util.pm line 602.
warn: Use of uninitialized value in length at 
/usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/Util.pm line 603.
warn: Use of uninitialized value in pattern match (m//) at 
/usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/Util.pm line 603.
warn: Use of uninitialized value in transliteration (tr///) at 
/usr/lib/perl5/site_perl/5.8.3/Mail/SpamAssassin/Util.pm line 620.


...and some more. which I assume are consequence of the first one.
What I don't get is why it can't write to /root/tmp. I've checked 
permissions and it should be able to.

In any case, what can I do? is that temp file path customizable?
What impact is this having in SA performance or work?

SA 3.2.1 - Simscan 1.3.1 - qmail 1.05
Thanks in advance!
/Regards

Re: Errors with PDFInfo.pm

[Wolfgang Zeikat]

Hi Dallas,

On 07/17/07 15:17, Dallas Engelken wrote:

Wolfgang Zeikat wrote:

Line 272 is (after the earlier changes):
dbg("pdfinfo: MD5 results for ".($name ? $name : '')." - md5=$md5 
fuzzy1=$fuzzy_md5 fuzzy2=$tags_md5");


Line 283 is:
$pms->{pdfinfo}->{fuzzy_md5}->{$tags_md5} = 1;



I'd say $tags_md5 is undef then which is odd because if it made it 
that far, then the message has a pdf in it and all pdfs have tag 
structures.


as far as I can tell from our logs, there are not necessarily pdf's 
involved each time the warnings occur.




Got samples that make that warn appear?


Yup, I have found one sample with pdf that triggers the warnings, I will 
send it to you off list.


Thanks and best regards,

wolfgang

Re: Re Thoughts on Isolating Viruses - Port 587 Submission

[Richard Frovarp]

Robert - eLists wrote:


  


John

What stops them from submitting on port 25 is admin-ing it so that "no smtp
auth" is available on port 25

And, isn't port 465 designated for ssl and smtp auth ?

 - rh


  


465 is SSL, but it isn't the port you should be using. Do TLS via 587 or 
25. I can't remember the problem with 465, I think it's mostly just a 
thing that MS uses and is supposed to be phased out in favor of TLS for 
general use.

Re: Re Thoughts on Isolating Viruses - Port 587 Submission

[bgodette]

John Rudd wrote:
> things on the anti-virus side ... especially once virus authors figure 
> out how to extract passwords from locally installed mail clients.

Already exists, however the most recent instance we saw was most likely
 injecting messages into OE's outbox instead of using locally stored
settings.

Re: Re Thoughts on Isolating Viruses - Port 587 Submission

[John Rudd]

Robert - eLists wrote:



What stops your customers from submitting to port 25 on your port 25
machines, when they're out roaming (ie. not on an IP address from which
you have blocked port 25 traffic)?



What stops them from submitting on port 25 is admin-ing it so that "no smtp
auth" is available on port 25



That wont stop them from submitting on port 25.  That will stop them 
from relaying through port 25.  So this wont "isolate viruses", as the 
virus can still run rampant through your own user base.


Really.  This isn't an anti-virus solution.  It's an anti-relaying solution.

RE: How to get Spam report in header?

[Koopmann, Jan-Peter]

AFAIK: No there is no way.

 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]

Sent: Tuesday, July 17, 2007 5:32 PM
To: users@spamassassin.apache.org; [EMAIL PROTECTED]
Subject: How to get Spam report in header?

 

We use MailScanner and Spamassassin. 

Our email has a header line as follows: 

X-BakerBotts-MailScanner-SpamCheck: not spam (whitelisted), 
SpamAssassin (not cached, score=-4.4, required 5, autolearn=not
spam, 
BAYES_00 -0.40, RCVD_IN_DNSWL_MED -4.00) 

Is it possible to include the 'Spam-Report' as in the example below? 

 

RE: Re Thoughts on Isolating Viruses - Port 587 Submission

[Robert - eLists]

> 
> What stops your customers from submitting to port 25 on your port 25
> machines, when they're out roaming (ie. not on an IP address from which
> you have blocked port 25 traffic)?
> 
> That's part of what I was saying.  Simply segregating which IPs are
> blocked for port 25 isn't going to help.  You either have to restrict
> roaming (bad) or you have to accept that they might connect to you on
> port 25 when they're roaming.
> 
> IMO, SMTP-AUTH is a better arbiter of "is my user or isn't my user" than
> what port they used or what IP address they are or aren't on.
> Segregating by IP is pretty useless, except in whitelisting the machines
> you directly manage.  And I certainly don't use it as a part of virus
> control.
> 

John

What stops them from submitting on port 25 is admin-ing it so that "no smtp
auth" is available on port 25

And, isn't port 465 designated for ssl and smtp auth ?

 - rh

How to get Spam report in header?

[donald.dawson]

We use MailScanner and Spamassassin.

Our email has a header line as follows:

X-BakerBotts-MailScanner-SpamCheck: not spam (whitelisted),
SpamAssassin (not cached, score=-4.4, required 5, autolearn=not
spam,
BAYES_00 -0.40, RCVD_IN_DNSWL_MED -4.00)

Is it possible to include the 'Spam-Report' as in the example below?

X-Spam-Status: Yes, score=9.7 required=6.0 tests=DCC_CHECK,
DIGEST_MULTIPLE, 
RAZOR2_CF_RANGE_51_100, RAZOR2_CF_RANGE_E4_51_100, RAZOR2_CHECK, 
RCVD_IN_NJABL_DUL, RCVD_IN_WHOIS_INVALID, UNPARSEABLE_RELAY
autolearn=no 
version=3.1.8, No
X-Spam-Report: * 0.0 UNPARSEABLE_RELAY Informational: message has
unparseable 
relay lines * 0.5 RAZOR2_CHECK Listed in Razor2
(http://razor.sf.net/) * 
1.5 RAZOR2_CF_RANGE_E4_51_100 Razor2 gives engine 4 confidence level
* 
above 50% * [cf:  54] * 0.5 RAZOR2_CF_RANGE_51_100 Razor2 gives 
confidence level above 50% * [cf:  54] * 1.4 DCC_CHECK Listed in DCC

(http://rhyolite.com/anti-spam/dcc/) * 2.2 RCVD_IN_WHOIS_INVALID
RBL: 
CompleteWhois: sender on invalid IP block * 
[218.81.195.107 listed in combined-HIB.dnsiplists.completewhois.com]
* 
1.7 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP *

[218.81.195.107 listed in combined.njabl.org] * 2.0 DIGEST_MULTIPLE 
Message hits more than one network digest check

Thanks,
Donald

Donald Dawson
Security Administrator
Baker Botts L.L.P.
713-229-2183

Re: Anyone getting 'OOO" e-mails from Charles Mount?

[Vivek Khera]

there are gazillions of b0rked autoresponders in the world.  you just  
stumbled upon one of them. they are as not nearly as vile as  
spambots, but still annoying.


On Jul 17, 2007, at 10:30 AM, Evan Platt wrote:

Just posted to the list, and got a bounce from Charles Mount. Not  
100% sure it's from this list though.


Anyone else?

"I will be out of the office starting  07/16/2007 and will not  
return until

07/18/2007.

I will be out of the office until July 6.  I will respond to your  
message

when I return."

Huh?

Re: Anyone getting 'OOO" e-mails from Charles Mount?

[Evan Platt]

At 07:39 AM 7/17/2007, JT DeLys wrote:
Yes, and now we're getting emails ABOUT his OOO message.  Please 
just use a filter, rather than re-broadcasting. Thanks.  :-(



Umm.. No reason to cop an attitude.

As there was no 'indication' that the message originated from my post 
to SpamAssassin, I wasn't sure if it was from my post to 
spamassassin, or my post to any of the other lists I posted to this morning.
The subject was changed, and there was no header I could see to 
indicate it came from my post to SpamAssassin.


So now I ask the moderator to please unsub or put Mr. Mount on Vacation hold.

Thanks. 

Re: Re Thoughts on Isolating Viruses - Port 587 Submission

[Len Conrad]

Port 587 is the mail submission port.  That port should  accept mail 
only after SMTP AUTH, no matter whether the submitter is on "my 
networks" or roaming.  What's the point of accepting unauthenticatd 
sumbission on port 587 (or any port)?


Port 25 is the mail relay port (no authentication for MTA-MTA 
relayiing), which has been abused by letting unauthenticated mail be 
_submitted_ there.  If a mail admin is still accepting 
unauthenticated submissions on any port, he should be relieved of his job.


I can't believe this problem is still being discussed, or that it's 
still a problem.


Len

Re: Re Thoughts on Isolating Viruses - Port 587 Submission

[John Rudd]

Marc Perkel wrote:



John Rudd wrote:

Marc Perkel wrote:



Jari Fredriksson wrote:

[EMAIL PROTECTED] wrote:

If port 25 were blocked from consumers and they were forced to talk to
servers on port 587, even without authentication, then a server could
distinguish consumers from other servers. I think this kind of
configuration could be used to help isolate virus infected computers
from spamming and spreading.


What would prevent virus infected computers from using the port 587 
of that would be the common usage?




What would prevent it is that if you use separate servers or separate 
IP addresses for email that your are recieving from other servers 
than the ones that you use for outgoing customers then port 587 would 
be closed. 587 would only be open for customers (usually 
authenticated) on machine sending, not receiving email. Port 25 would 
become a server to server port and 587 would be a user to server 
port. Users would have port 25 blocked so they can't talk to the 
server to server traffic.




So, what about your customers who are out roaming, using random 
hot-spots at cafe's, with their laptops, who want to send an outgoing 
email using the same client that they use when their laptop is at home?


Why can't they connect to the same mail server, using the same port 
they always do, using SMTP-AUTH to prove who they are, and thus send 
their outbound email.  If you make them change ports just because 
they're roaming, then you're making their mail server configurations 
needlessly complicated.


Yet, because they're on an IP you don't own (and that they don't own, 
depending on how you register your "customer IP's"), you can't easily 
detect whether or not they're your customer until they do the 
SMTP-AUTH.  So blocking 587 to IPs that aren't known to you will keep 
your customers from having roaming laptops, smart cell phones, etc.   
And blocking port 25 to IPs that are known to you wont keep your 
customers from trying port 25 (if they happen to be out roaming).


Roaming users are a reality that every non-trivial mail service needs 
to support.




I think you aren't understanding what I'm talking about. I have a server 
for outgoing email for roaming people with laptops with port 587 open so 
they can send email from anywhere. I have several other servers that are 
used as incoming email servers to accept email from the internet for 
1600 domains and on those servers port 587 is closed because there is no 
reason for end users to talk to that server directly. The idea is to 
force outgoing consumer email to port 587 and server to server email on 
port 25. Then you can block port 25 for consumers so their viruses 
aren't hitting my incoming servers.



What stops your customers from submitting to port 25 on your port 25 
machines, when they're out roaming (ie. not on an IP address from which 
you have blocked port 25 traffic)?


That's part of what I was saying.  Simply segregating which IPs are 
blocked for port 25 isn't going to help.  You either have to restrict 
roaming (bad) or you have to accept that they might connect to you on 
port 25 when they're roaming.


IMO, SMTP-AUTH is a better arbiter of "is my user or isn't my user" than 
what port they used or what IP address they are or aren't on. 
Segregating by IP is pretty useless, except in whitelisting the machines 
you directly manage.  And I certainly don't use it as a part of virus 
control.

Re: Re Thoughts on Isolating Viruses - Port 587 Submission

[John Rudd]

Richard Frovarp wrote:



You could just as well lock down 25 on your outgoing and call it good. 
Only problem is 25 is blocked at the edge of some networks and you users 
won't be able to send to you. There is nothing inherently more secure 
about using the submission port.



The things being discussed are useful for controlling relaying, but 
they're not what I use for containing viruses.  Trying to segregate some 
networks into "port 25 only" and others into "port 587 only" will 
prevent roaming users (a bad thing to prevent), and wont really improve 
things on the anti-virus side ... especially once virus authors figure 
out how to extract passwords from locally installed mail clients.


What I do for containing viruses is:

1) block all dangerous attachments (.com, .exe, etc.).  I block them 
during the SMTP session.  The only one that's really heavily been used 
by known viruses, that I haven't blocked, is .zip.  For .zip, I block 
encrypted/password-protected .zip files, but let plain .zip files through.


2) virus scan _everything_ (SMTP-AUTH or not).  I block detected viruses 
during the SMTP session.


I do it in that order, so that the easier/lighter-cpu-weight check is 
done before the heavier-cpu-weight check.

Re: Re Thoughts on Isolating Viruses - Port 587 Submission

[Marc Perkel]

John Rudd wrote:

Marc Perkel wrote:



Jari Fredriksson wrote:

[EMAIL PROTECTED] wrote:

If port 25 were blocked from consumers and they were forced to talk to
servers on port 587, even without authentication, then a server could
distinguish consumers from other servers. I think this kind of
configuration could be used to help isolate virus infected computers
from spamming and spreading.


What would prevent virus infected computers from using the port 587 
of that would be the common usage?




What would prevent it is that if you use separate servers or separate 
IP addresses for email that your are recieving from other servers 
than the ones that you use for outgoing customers then port 587 would 
be closed. 587 would only be open for customers (usually 
authenticated) on machine sending, not receiving email. Port 25 would 
become a server to server port and 587 would be a user to server 
port. Users would have port 25 blocked so they can't talk to the 
server to server traffic.




So, what about your customers who are out roaming, using random 
hot-spots at cafe's, with their laptops, who want to send an outgoing 
email using the same client that they use when their laptop is at home?


Why can't they connect to the same mail server, using the same port 
they always do, using SMTP-AUTH to prove who they are, and thus send 
their outbound email.  If you make them change ports just because 
they're roaming, then you're making their mail server configurations 
needlessly complicated.


Yet, because they're on an IP you don't own (and that they don't own, 
depending on how you register your "customer IP's"), you can't easily 
detect whether or not they're your customer until they do the 
SMTP-AUTH.  So blocking 587 to IPs that aren't known to you will keep 
your customers from having roaming laptops, smart cell phones, etc.   
And blocking port 25 to IPs that are known to you wont keep your 
customers from trying port 25 (if they happen to be out roaming).


Roaming users are a reality that every non-trivial mail service needs 
to support.




I think you aren't understanding what I'm talking about. I have a server 
for outgoing email for roaming people with laptops with port 587 open so 
they can send email from anywhere. I have several other servers that are 
used as incoming email servers to accept email from the internet for 
1600 domains and on those servers port 587 is closed because there is no 
reason for end users to talk to that server directly. The idea is to 
force outgoing consumer email to port 587 and server to server email on 
port 25. Then you can block port 25 for consumers so their viruses 
aren't hitting my incoming servers.

Re: Re Thoughts on Isolating Viruses - Port 587 Submission

[John Rudd]

Marc Perkel wrote:



Jari Fredriksson wrote:

[EMAIL PROTECTED] wrote:

If port 25 were blocked from consumers and they were forced to talk to
servers on port 587, even without authentication, then a server could
distinguish consumers from other servers. I think this kind of
configuration could be used to help isolate virus infected computers
from spamming and spreading.


What would prevent virus infected computers from using the port 587 of 
that would be the common usage?




What would prevent it is that if you use separate servers or separate IP 
addresses for email that your are recieving from other servers than the 
ones that you use for outgoing customers then port 587 would be closed. 
587 would only be open for customers (usually authenticated) on machine 
sending, not receiving email. Port 25 would become a server to server 
port and 587 would be a user to server port. Users would have port 25 
blocked so they can't talk to the server to server traffic.




So, what about your customers who are out roaming, using random 
hot-spots at cafe's, with their laptops, who want to send an outgoing 
email using the same client that they use when their laptop is at home?


Why can't they connect to the same mail server, using the same port they 
always do, using SMTP-AUTH to prove who they are, and thus send their 
outbound email.  If you make them change ports just because they're 
roaming, then you're making their mail server configurations needlessly 
complicated.


Yet, because they're on an IP you don't own (and that they don't own, 
depending on how you register your "customer IP's"), you can't easily 
detect whether or not they're your customer until they do the SMTP-AUTH. 
 So blocking 587 to IPs that aren't known to you will keep your 
customers from having roaming laptops, smart cell phones, etc.   And 
blocking port 25 to IPs that are known to you wont keep your customers 
from trying port 25 (if they happen to be out roaming).


Roaming users are a reality that every non-trivial mail service needs to 
support.

Anyone getting 'OOO" e-mails from Charles Mount?

[Evan Platt]

Just posted to the list, and got a bounce from Charles Mount. Not 
100% sure it's from this list though.


Anyone else?

"I will be out of the office starting  07/16/2007 and will not return until
07/18/2007.

I will be out of the office until July 6.  I will respond to your message
when I return."

Huh?

Re: Errors with PDFInfo.pm

[Dallas Engelken]

Wolfgang Zeikat wrote:

Hello again,

On 07/12/07 16:22, Dallas Engelken wrote:

Wolfgang Zeikat wrote:
I noticed that some of the latest pdf spam mails do not contain a 
filename in the mime headers, could that be a reason for the above 
behaviour?



Possibly, but seeing that line 300 is just a dbg() line itself, you 
can either comment it out, or change it to something that will not 
through a warn.


   # dbg("pdfinfo: found part, type=$type file=$name cte=$cte");
   dbg("pdfinfo: found part, type=".($type ? $type : '')." 
file=".($name ? $name : '')." cte=".($cte ? $cte : '')."");




Thanks, that fixed those. Lately, I see a lot of:
Jul 17 14:27:10 spamlock2 spamd[9786]: Use of uninitialized value in 
concatenation (.) or string at /etc/mail/spamassassin/PDFInfo.pm line 
272,  line 1579.
Jul 17 14:27:10 spamlock2 spamd[9786]: Use of uninitialized value in 
hash element at /etc/mail/spamassassin/PDFInfo.pm line 283,  
line 1579.


Line 272 is (after the earlier changes):
dbg("pdfinfo: MD5 results for ".($name ? $name : '')." - md5=$md5 
fuzzy1=$fuzzy_md5 fuzzy2=$tags_md5");


Line 283 is:
$pms->{pdfinfo}->{fuzzy_md5}->{$tags_md5} = 1;



I'd say $tags_md5 is undef then which is odd because if it made it 
that far, then the message has a pdf in it and all pdfs have tag 
structures.


Got samples that make that warn appear?

--
Dallas Engelken
[EMAIL PROTECTED]
http://uribl.com

Re: Why "unsolicited bulk e-mail" ?

[Daniel J McDonald]

On Tue, 2007-07-17 at 14:44 +0200, Salvatore wrote:
> Hi,
> I have a problem when I send mail to an mail address, my mail is considered
> "unsolicited bulk e-mail" but I don't know for what motiv, when I send mail
> then I receive this report:
> 
> Your message to:
> -> [EMAIL PROTECTED]
> 
> was considered unsolicited bulk e-mail (UBE).
[...]
> X-Virus-Scanned: Maia Mailguard 1.0.1
> X-Spam-Status: Yes, hits=2.435 tag=2 tag2=2 kill=2 tests=[AWL=-0.677,
>  BAYES_00=-2.599, EXTRA_MPART_TYPE=1.091, FORGED_RCVD_HELO=0.135,
>  HTML_MESSAGE=0.001, NO_REAL_NAME=0.961, SUBJECT_ENCODED_TWICE=1.723,
>  TVD_FW_GRAPHIC_NAME_LONG=1.8]
> X-Spam-Score: 2.435

Kill level of 2?  He apparently doesn't want to communicate with
anyone. 

But you can lower your score easily, just by adding a "real name" to
your e-mail address. Instead of 
> From: <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>

do:
> From: "Tech support" <[EMAIL PROTECTED]>

Then your message will only score 1.5, and it will be below the fellow's
ridiculously low scoring threshold.


-- 
Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX
Austin Energy
http://www.austinenergy.com

Re: Why "unsolicited bulk e-mail" ?

[Evan Platt]

X-Spam-Status: Yes, hits=2.435 tag=2 tag2=2 kill=2 tests=[AWL=-0.677,
BAYES_00=-2.599, EXTRA_MPART_TYPE=1.091, FORGED_RCVD_HELO=0.135,
HTML_MESSAGE=0.001, NO_REAL_NAME=0.961, SUBJECT_ENCODED_TWICE=1.723,
TVD_FW_GRAPHIC_NAME_LONG=1.8]
X-Spam-Score: 2.435


They're calling messages SPAM at a score of 2, which is WAY too 
low.  Adding a real name will bring you up .961 points, removing html 
will bring you up .001, a plain english subject will bring it up 1.723.


At 05:44 AM 7/17/2007, Salvatore wrote:

Hi,
I have a problem when I send mail to an mail address, my mail is considered
"unsolicited bulk e-mail" but I don't know for what motiv, when I send mail
then I receive this report:

Your message to:
-> [EMAIL PROTECTED]

was considered unsolicited bulk e-mail (UBE).
Subject:
=3D?iso-8859-1?Q?Richiesta_di_assistenza_Ticket_n=3DB0_000171_del_17/07/2?=3D
=3D?iso-8859-1?Q?007_10.53.47?=3D
Return-Path: <[EMAIL PROTECTED]>
Our internal reference code for your message is 01934-08/l28j1ddeuGO8.

Delivery of the email was stopped!

Received: from localhost.localdomain (mail [127.0.0.1])
by mail.domain.it (Postfix) with ESMTP id 3A82F2F06B9
for <[EMAIL PROTECTED]>; Tue, 17 Jul 2007 11:56:41 +0200 (CEST)
Received: from localhost ([EMAIL PROTECTED])
by localhost.localdomain (8.13.1/8.13.1/Submit) with SMTP id l6H9ufoY002643
for [EMAIL PROTECTED]; Tue, 17 Jul 2007 11:56:41 +0200
Delivered-To: spam-quarantine
X-Envelope-From: <[EMAIL PROTECTED]>
X-Envelope-To: <[EMAIL PROTECTED]>
X-Quarantine-Id: 
Received: from localhost.localdomain (mail [127.0.0.1])
by mail.domain.it (Postfix) with ESMTP id A53CC2F06B9
for <[EMAIL PROTECTED]>; Tue, 17 Jul 2007 11:48:54 +0200 (CEST)
Received: from localhost ([EMAIL PROTECTED])
by localhost.localdomain (8.13.1/8.13.1/Submit) with SMTP id l6H9mrfR002463
for [EMAIL PROTECTED]; Tue, 17 Jul 2007 11:48:54 +0200
Delivered-To: spam-quarantine
X-Envelope-From: <[EMAIL PROTECTED]>
X-Envelope-To: <[EMAIL PROTECTED]>
X-Quarantine-Id: 
Received: from mail.mydomain.com (89-xx-xx-xx.ipxx.fastwebnet.it
[89.xx.xx.xx])
by mail.domain.it (Postfix) with ESMTP id A10A62F0B09
for <[EMAIL PROTECTED]>; Tue, 17 Jul 2007 10:53:50 +0200 (CEST)
Received: from localhost (localhost.localdomain [127.0.0.1])
by mail.mydomain.com (Postfix) with ESMTP id EF984ED052D
for <[EMAIL PROTECTED]>; Tue, 17 Jul 2007 10:53:49 +0200 (CEST)
Received: from mail.mydomain.com ([127.0.0.1])
by localhost (mail [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
id 19052-05 for <[EMAIL PROTECTED]>;
Tue, 17 Jul 2007 10:53:48 +0200 (CEST)
Received: from commerce (www.mydomain.com [10.0.1.1])
by mail.mydomain.com (Postfix) with ESMTP id 1E5BCED0520
for <[EMAIL PROTECTED]>; Tue, 17 Jul 2007 10:53:48 +0200 (CEST)
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject:
=?iso-8859-1?Q?Richiesta_di_assistenza_Ticket_n=B0_000171_del_17/07/2?=
=?iso-8859-1?Q?007_10.53.47?=
Date: Tue, 17 Jul 2007 10:53:48 +0200
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="=_NextPart_000_0094_01C7C860.C043E880"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft CDO for Windows 2000
Thread-Index: AcfIT/y4v99Au4C8Q/qSvtwaMH1wIg==
Content-Class: urn:content-classes:message
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1896
X-Virus-Scanned: Maia Mailguard 1.0.1
X-Spam-Status: Yes, hits=2.435 tag=2 tag2=2 kill=2 tests=[AWL=-0.677,
BAYES_00=-2.599, EXTRA_MPART_TYPE=1.091, FORGED_RCVD_HELO=0.135,
HTML_MESSAGE=0.001, NO_REAL_NAME=0.961, SUBJECT_ENCODED_TWICE=1.723,
TVD_FW_GRAPHIC_NAME_LONG=1.8]
X-Spam-Score: 2.435
X-Spam-Level: **
X-Spam-Flag: YES
X-Spam-Status: Yes, hits=2.496 tag=2 tag2=2 kill=2 tests=[AWL=-0.616,
BAYES_00=-2.599, EXTRA_MPART_TYPE=1.091, FORGED_RCVD_HELO=0.135,
HTML_MESSAGE=0.001, NO_REAL_NAME=0.961, SUBJECT_ENCODED_TWICE=1.723,
TVD_FW_GRAPHIC_NAME_LONG=1.8]
X-Spam-Score: 2.496
X-Spam-Level: **
X-Spam-Flag: YES

..in attach I receive:

Reporting-MTA: dns; mail
Received-From-MTA: smtp; mail.domain.it ([127.0.0.1])
Arrival-Date: Tue, 17 Jul 2007 11:56:42 +0200 (CEST)
Final-Recipient: rfc822; [EMAIL PROTECTED]
Action: failed
Status: 5.7.1
Diagnostic-Code: smtp; 550 5.7.1 Message content rejected, UBE, id=01934-08
Last-Attempt-Date: Tue, 17 Jul 2007 11:56:46 +0200 (CEST)

Thanks.

--
Salvatore.

Re: Errors with PDFInfo.pm

[Wolfgang Zeikat]

Hello again,

On 07/12/07 16:22, Dallas Engelken wrote:

Wolfgang Zeikat wrote:
I noticed that some of the latest pdf spam mails do not contain a 
filename in the mime headers, could that be a reason for the above 
behaviour?



Possibly, but seeing that line 300 is just a dbg() line itself, you can 
either comment it out, or change it to something that will not through a 
warn.


   # dbg("pdfinfo: found part, type=$type file=$name cte=$cte");
   dbg("pdfinfo: found part, type=".($type ? $type : '')." file=".($name 
? $name : '')." cte=".($cte ? $cte : '')."");




Thanks, that fixed those. Lately, I see a lot of:
Jul 17 14:27:10 spamlock2 spamd[9786]: Use of uninitialized value in 
concatenation (.) or string at /etc/mail/spamassassin/PDFInfo.pm line 
272,  line 1579.
Jul 17 14:27:10 spamlock2 spamd[9786]: Use of uninitialized value in 
hash element at /etc/mail/spamassassin/PDFInfo.pm line 283,  
line 1579.


Line 272 is (after the earlier changes):
dbg("pdfinfo: MD5 results for ".($name ? $name : '')." - md5=$md5 
fuzzy1=$fuzzy_md5 fuzzy2=$tags_md5");


Line 283 is:
$pms->{pdfinfo}->{fuzzy_md5}->{$tags_md5} = 1;

Regards,

wolfgang

Re: Re Thoughts on Isolating Viruses - Port 587 Submission

[Richard Frovarp]

Jari Fredriksson wrote:

[EMAIL PROTECTED] wrote:

If port 25 were blocked from consumers and they were forced to talk to
servers on port 587, even without authentication, then a server could
distinguish consumers from other servers. I think this kind of
configuration could be used to help isolate virus infected computers
from spamming and spreading.


What would prevent virus infected computers from using the port 587 of 
that would be the common usage?




Nothing. You should be running your outgoing SMTP with authentication 
and encryption. So the virus sending code wouldn't know what the user 
name and password is to get through. The software could of course sniff 
the password out of the email applications running and share user name 
and passwords for those machines on the same network. Not everyone is 
going to have an email client they use, but ISPs don't care which IP the 
user name and password came from.


You could just as well lock down 25 on your outgoing and call it good. 
Only problem is 25 is blocked at the edge of some networks and you users 
won't be able to send to you. There is nothing inherently more secure 
about using the submission port.

Why "unsolicited bulk e-mail" ?

[Salvatore]

Hi,
I have a problem when I send mail to an mail address, my mail is considered
"unsolicited bulk e-mail" but I don't know for what motiv, when I send mail
then I receive this report:

Your message to:
-> [EMAIL PROTECTED]

was considered unsolicited bulk e-mail (UBE).
Subject:
=3D?iso-8859-1?Q?Richiesta_di_assistenza_Ticket_n=3DB0_000171_del_17/07/2?=3D
=3D?iso-8859-1?Q?007_10.53.47?=3D
Return-Path: <[EMAIL PROTECTED]>
Our internal reference code for your message is 01934-08/l28j1ddeuGO8.

Delivery of the email was stopped!

Received: from localhost.localdomain (mail [127.0.0.1])
by mail.domain.it (Postfix) with ESMTP id 3A82F2F06B9
for <[EMAIL PROTECTED]>; Tue, 17 Jul 2007 11:56:41 +0200 (CEST)
Received: from localhost ([EMAIL PROTECTED])
by localhost.localdomain (8.13.1/8.13.1/Submit) with SMTP id l6H9ufoY002643
for [EMAIL PROTECTED]; Tue, 17 Jul 2007 11:56:41 +0200
Delivered-To: spam-quarantine
X-Envelope-From: <[EMAIL PROTECTED]>
X-Envelope-To: <[EMAIL PROTECTED]>
X-Quarantine-Id: 
Received: from localhost.localdomain (mail [127.0.0.1])
by mail.domain.it (Postfix) with ESMTP id A53CC2F06B9
for <[EMAIL PROTECTED]>; Tue, 17 Jul 2007 11:48:54 +0200 (CEST)
Received: from localhost ([EMAIL PROTECTED])
by localhost.localdomain (8.13.1/8.13.1/Submit) with SMTP id l6H9mrfR002463
for [EMAIL PROTECTED]; Tue, 17 Jul 2007 11:48:54 +0200
Delivered-To: spam-quarantine
X-Envelope-From: <[EMAIL PROTECTED]>
X-Envelope-To: <[EMAIL PROTECTED]>
X-Quarantine-Id: 
Received: from mail.mydomain.com (89-xx-xx-xx.ipxx.fastwebnet.it
[89.xx.xx.xx])
by mail.domain.it (Postfix) with ESMTP id A10A62F0B09
for <[EMAIL PROTECTED]>; Tue, 17 Jul 2007 10:53:50 +0200 (CEST)
Received: from localhost (localhost.localdomain [127.0.0.1])
by mail.mydomain.com (Postfix) with ESMTP id EF984ED052D
for <[EMAIL PROTECTED]>; Tue, 17 Jul 2007 10:53:49 +0200 (CEST)
Received: from mail.mydomain.com ([127.0.0.1])
by localhost (mail [127.0.0.1]) (amavisd-new, port 10024) with ESMTP
id 19052-05 for <[EMAIL PROTECTED]>;
Tue, 17 Jul 2007 10:53:48 +0200 (CEST)
Received: from commerce (www.mydomain.com [10.0.1.1])
by mail.mydomain.com (Postfix) with ESMTP id 1E5BCED0520
for <[EMAIL PROTECTED]>; Tue, 17 Jul 2007 10:53:48 +0200 (CEST)
From: <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject:
=?iso-8859-1?Q?Richiesta_di_assistenza_Ticket_n=B0_000171_del_17/07/2?=
=?iso-8859-1?Q?007_10.53.47?=
Date: Tue, 17 Jul 2007 10:53:48 +0200
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: multipart/related;
type="multipart/alternative";
boundary="=_NextPart_000_0094_01C7C860.C043E880"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft CDO for Windows 2000
Thread-Index: AcfIT/y4v99Au4C8Q/qSvtwaMH1wIg==
Content-Class: urn:content-classes:message
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1896
X-Virus-Scanned: Maia Mailguard 1.0.1
X-Spam-Status: Yes, hits=2.435 tag=2 tag2=2 kill=2 tests=[AWL=-0.677,
BAYES_00=-2.599, EXTRA_MPART_TYPE=1.091, FORGED_RCVD_HELO=0.135,
HTML_MESSAGE=0.001, NO_REAL_NAME=0.961, SUBJECT_ENCODED_TWICE=1.723,
TVD_FW_GRAPHIC_NAME_LONG=1.8]
X-Spam-Score: 2.435
X-Spam-Level: **
X-Spam-Flag: YES
X-Spam-Status: Yes, hits=2.496 tag=2 tag2=2 kill=2 tests=[AWL=-0.616,
BAYES_00=-2.599, EXTRA_MPART_TYPE=1.091, FORGED_RCVD_HELO=0.135,
HTML_MESSAGE=0.001, NO_REAL_NAME=0.961, SUBJECT_ENCODED_TWICE=1.723,
TVD_FW_GRAPHIC_NAME_LONG=1.8]
X-Spam-Score: 2.496
X-Spam-Level: **
X-Spam-Flag: YES

..in attach I receive:

Reporting-MTA: dns; mail
Received-From-MTA: smtp; mail.domain.it ([127.0.0.1])
Arrival-Date: Tue, 17 Jul 2007 11:56:42 +0200 (CEST)
Final-Recipient: rfc822; [EMAIL PROTECTED]
Action: failed
Status: 5.7.1
Diagnostic-Code: smtp; 550 5.7.1 Message content rejected, UBE, id=01934-08
Last-Attempt-Date: Tue, 17 Jul 2007 11:56:46 +0200 (CEST)

Thanks.

--
Salvatore. 

exim and spamd -vs- commandline spamassassin -t why does the scores varies ?

[Paul Griffith]

Greetings,

I am trying to trackdown why some spam is scoring the way it is. Take a  
look at the sample header at the end of the e-mail.


Using spamd and exim I will get a score of 2.6, but in if I call  
spamassassin from the command line I get a score of 8.1.


via exim/spamd

X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on  
bronze.cs.yorku.ca

X-Spam-Level: **
X-Spam-Status: No, score=2.6 required=2.7 tests=DATE_IN_PAST_03_06,
DRUGS_ERECTILE,RCVD_IN_PBL,RDNS_NONE,STOX_REPLY_TYPE autolearn=disabled
version=3.2.1

via commandline

spamassassin -t < spam1.mbs

Content analysis details:   (8.1 points, 2.7 required)

 pts rule name  description
 --  
--

 0.0 STOX_REPLY_TYPESTOX_REPLY_TYPE
 0.1 RDNS_NONE  Delivered to trusted network by a host with no  
rDNS

 1.5 FH_RELAY_NODNS We could not determine your Reverse DNS
 0.5 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL
[84.222.168.64 listed in zen.spamhaus.org]
 4.0 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
 1.4 DATE_IN_PAST_03_06 Date: is 3 to 6 hours before Received: date
 0.6 DRUGS_ERECTILE Refers to an erectile drug


This is not the first time, this has happened. I have four spam e-mails  
that  I have spam that are scored 1.8 via spamd and exim, but on the  
commandline spamassassin -t < spam-email I get a score of 23.


Any tips or pointers ?



---
From: "Adan Chambers" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Order Viagra N0_PRES needed with fast shipping!
Date: Mon, 16 Jul 2007 11:44:54 -0400
MIME-Version: 1.0
Content-Type: text/plain;
format=flowed;
charset="windows-1250"
reply-type=original
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.2869
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
--

This scored 23.1 via the commandline.

X-Spam-Level: *
X-Spam-Status: No, score=1.8 required=2.7 tests=RCVD_IN_PBL,
RCVD_IN_WHOIS_INVALID,RDNS_NONE autolearn=disabled version=3.2.1
Received: from [220.129.142.109] (helo=xipzgtwr)
by bronze.cs.yorku.ca with smtp (Exim 4.67)
(envelope-from <[EMAIL PROTECTED]>)
id 1IAbAu-00014W-6d; Mon, 16 Jul 2007 20:44:25 -0400
To: <[EMAIL PROTECTED]>
From: "Jeannette Larita" <[EMAIL PROTECTED]>
Subject: Men's Sexual Health Pill from $1.50  per pill, Pain Relief,  
Anti-Anxiety/Sleep fzun

Message-ID: <[EMAIL PROTECTED]>

Re: is it true about donations?

[Gene Heskett]

On Tuesday 17 July 2007, Justin Mason wrote:
>Matt Kettler writes:
>> Robert - eLists wrote:
>> > Is it really true that in all the time spamassassin has been alive that
>> > the SA Team has only recv'd a hundred bucks or so in donations and such?

[...]

>Actually, part of my job description in a previous job was to spend a
>certain amount of time working on the OSS code, a good bit more recently
>than that. ;)
>
>For what it's worth, I've heard from other projects where the "paypal
>button on the homepage" model hasn't worked either.  In my experience,
>it's easier for people (and companies) to express donations in "barter"
>terms, than in direct monetary payment.

I believe the major reason it doesn't work is related to the PayPal TOS.  
There have been quite a few projects such as this one that have benefitted me 
directly, and I am willing to donate a small "Hey, great stuff, I appreciate 
it" message that people could "take to the corner ice cream store".

Unforch, I'm also retired, on a relatively fixed income that while it does 
have some "discretionary spending" wiggle room that would allow me to say 
thanks, the actual mechanism to do that opens me up to the possibility of 
electronic funds transfer fraud because PayPal seems to think that the only 
way to do business with them is to give them the routing numbers that allow 
them free access to extract whatever they think they need to balance the 
books at PayPal.

I do 99% of my bill paying online, and if it was as simple as having my bank 
send your project's head a check for $20, and have that automaticaly 
converted to your local monetary system at the current rate of exchange when 
your projects head takes it to his bank and deposits it, it would happen 
quite often.  The difference is that my writing the check puts the "is it 
good?" onus on those that handle it as that piece of paper makes its way back 
through the clearing houses to my bank, and they like being paid for that 
liability/risk.

A 2 digit check, on a 5 digit account shouldn't be that big a deal, but with 
PayPal in the handling chain, that 2 digit check has the possibility of 
turning into an empty account, and that's so not going to happen.

I have NDI if it would work or not, but no one seems willing to put a second 
donate button up that simply displays a valid address where I could send a 
donation, possibly even real cash.  And we won't know if it would work till 
someone tries it.  For all I know, fixed, per transaction fees might eat it 
all up & only the money changers wind up going to the store.

All I do know is that there really should be a direct "from me to you" funds 
transfer path that works as well as me handing that $20 bill to you in 
person.  The feasability is the next thing to determine...

-- 
Cheers, Gene
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Brain fried -- Core dumped

Re: is it true about donations?

[Per Jessen]

Justin Mason wrote:

> For what it's worth, I've heard from other projects where the "paypal
> button on the homepage" model hasn't worked either.  In my experience,
> it's easier for people (and companies) to express donations in
> "barter" terms, than in direct monetary payment.

For most companies, donations are much easier dealt with in straight
forward money terms, but they need an invoice which many OSS projects
cannot or do not issue.


/Per Jessen, Zürich

Re: is it true about donations?

[Justin Mason]

Matt Kettler writes:
> Robert - eLists wrote:
> > Is it really true that in all the time spamassassin has been alive that the
> > SA Team has only recv'd a hundred bucks or so in donations and such?
> 
> I'd say that's about half true. In so far as "donation of cash or items
> direct from user to developer's own pocket/home", that's probably pretty
> close to true. I can't exactly confirm that, but it's quite plausible. I
> don't think any team member has received any kind of substantial income.
> Any who have, feel free to correct me for speculating. :)
> 
> However, several of the SA developers have at various points in the past
> been employed by companies with a commercial interest in SpamAssassin.
> I'm not sure if any were directly paid to work on the OSS code, but I
> suspect that was the case. (However, we're talking a LONG time ago..
> 2.32 days)

Actually, part of my job description in a previous job was to spend a
certain amount of time working on the OSS code, a good bit more recently
than that. ;)

For what it's worth, I've heard from other projects where the "paypal
button on the homepage" model hasn't worked either.  In my experience,
it's easier for people (and companies) to express donations in "barter"
terms, than in direct monetary payment.

> Also, the project itself has received a lot of hosting donations. While
> this isn't of direct benefit to the developers, it does keep the project
> from costing the team lots of money out-of-pocket.
> 
> Of course, that naturally might lead folks to ask "why does the team
> continue to do this?".
> 
> Well, I can't speak for any other team members, but my small story goes
> like this:
> 
> First, scrolling back several years, I'm a software engineer, with a
> part time "second hat" of running the DMZ servers (email, www, etc) and
> firewalls for a small company of about 70 people. Spam and viruses are
> quickly becoming a problem. In my research, I discover MailScanner,
> which works with the particular AV product we have a site license for,
> and SpamAssassin works with it too. The two tools collectively make my
> life substantially easier.
> 
> However, neither tool is perfect. So, I spend some of my personal time
> on a PC at home creating a few rules, writing a few bits of
> documentation, etc. The rules are largely motivated by my own needs. I
> need SA to keep spam under control in my network, so I write rules to
> improve it. While I'm at it, it costs me nothing to give a copy of that
> work to the official tree, so I do. The documentation bits are mostly
> humanitarian on my part, athough sometimes they bemuse me as they are
> documentaries of my own bunglings through learning how SA works.  (most
> notably, the "Writing better rules" section of WritingRules in the wiki
> has a lot of this.. Every suggestion in there is as a result of some 
> naive mistake I made.)

Personally -- working on SpamAssassin has been some of the most enjoyable
and rewarding work I've performed in my career as a software engineer.
Also, it's probably paid better than any of the "closed-source" work I've
done, too; there are several jobs I wouldn't have gotten, if it wasn't for
the fact that I have SpamAssassin on my CV.  Open source works!

--j.

RE: OT Alert: Forward low scoring SPAM to sa-learn.

[Anthony Kamau]

> -Original Message-
> From: Matt Kettler [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, 17 July 2007 11:35 AM
> To: Anthony Kamau
> Cc: users@spamassassin.apache.org
> Subject: Re: OT Alert: Forward low scoring SPAM to sa-learn.
> 
> That said, if you're just doing a "forward as attachment" type
> operation, you should be able to get any standard mime attachment
> extractor tool..
> 

Thanks Matt,

I was planning on having the users forward the spam/ham as an
attachment, but that was before I read Michael's post.  All should be
well unless I have other issues with the script...

Cheers,
AK.

RE: OT Alert: Forward low scoring SPAM to sa-learn.

[Anthony Kamau]

> -Original Message-
> From: Michael Scheidell [mailto:[EMAIL PROTECTED]
> Sent: Tuesday, 17 July 2007 2:51 PM
> To: Anthony Kamau; users@spamassassin.apache.org
> Subject: RE: OT Alert: Forward low scoring SPAM to sa-learn.
> 
> Only hope it to create shared, public folders for them to move the
email
> to and have a separate program use imap to that folder to read the
email
> (again, google is your friend, there are several programs like this
for
> SA out there)
> 

Thanks Michael.  I've always known that Google is my friend, but
creativity with search terms eludes me -:).  After reading your
response, I quickly Googled "imap exchange sa-learn" and up came 794
links.  The link at the top [1] provides all the details I need!

[1] - http://www.ctdx.net/2006/10/27/spamassassin-linux-exchange-imap/


Cheers,
AK.