Re: DNS Perl Help? [ot]
Mark Perkel wrote: If I have a string, what's that fastest way to count the number of periods in the string? in perl, I would probably split the string at the periods @parts = split /\./, $string; and then just use the number of splits $#parts Wolfgang Hamann
Re: Bye for good FuzzyOCR
Spamassassin List schrieb: Spamassassin List schrieb: i just uninstalled FuzzyOCR from my system as it seems like its become out of fashion to send those spam images that FuzzyOCR can read and I noticed that I dont even need it to get the remaining imagespam above a score of 10. Thanks alot to the author, the plugin was great when imagespam was on a high and no good rules existed to bust them through metadata ;-) So what are u using now? HTML_IMAGE_ONLY_XX, SHORT_HELO_AND_INLINE_IMAGE, DC_IMAGE_SPAM_TEXT, DC_IMAGE_SPAM_HTML, DC_GIF_UNO_LARGO, SARE_GIF_ATTACH together with botnet, bayes and other standard rules is enough to bring all my image spam to above 10 points, even without cpu intensive FuzzyOCR. I'm not recieving much of it anymore anyways. How do u get DC_IMAGE_SPAM_HTML, DC_GIF_UNO_LARGO? Using ImageInfo? must be on updates.spamassassin.org or saupdates.openprotect.com, otherwise i wouldnt have them I have updates.spamassassin.org, saupdates.openprotect.com and botnet, yet i cant achieve HTML_IMAGE_ONLY_XX, SHORT_HELO_AND_INLINE_IMAGE, DC_IMAGE_SPAM_TEXT, DC_IMAGE_SPAM_HTML, DC_GIF_UNO_LARGO, SARE_GIF_ATTACH. What am i missing out here?
Re: DNS Perl Help? [ot]
On Sun, Jul 22, 2007 at 07:15:50AM -, [EMAIL PROTECTED] wrote: Mark Perkel wrote: If I have a string, what's that fastest way to count the number of periods in the string? in perl, I would probably split the string at the periods @parts = split /\./, $string; and then just use the number of splits $#parts I believe the official/fastest/shortest method is: $count = $string =~ y/.//; -- Randomly Selected Tagline: If a can of Alpo costs 38 cents, would it cost $2.50 in Dog Dollars? pgpK1hqYi3jEL.pgp Description: PGP signature
Re: Spam Du Jour ? *.XLS
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Chr. v. Stuckrad schrieb: On Sun, 22 Jul 2007, Robert Schetterer wrote: investors news-76212.xls, et all no real challenge jep , got 3 xls spams today well, here too, but I think soon we'll get the whole mix ... a combinatoric explosion of envelope formats and content variants, meaning 'any windows-showable-fileformat' * 'all the already known picture-tricks embedded' Anybody working on generic detectors yet? (I really would like to plug that (w)hole :-) Something like amavis or clamav to first unpack and then spamassassin to analyze it? Stucki Hi, http://sanesecurity.co.uk/clamav/ catches it now - -- Mit freundlichen Gruessen Best Regards Robert Schetterer https://www.schetterer.org Germany -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iD8DBQFGoxYdfGH2AvR16oERAo0KAJ96R9cru5KDqyc9nI9HYEgqYmEY/wCfX21o UYG90NfajRyt8Ld2mg2UlzA= =sB2r -END PGP SIGNATURE-
Re: Bye for good FuzzyOCR
I'm not recieving much of it anymore anyways. FWIW, about 20% of the spam I got today had either a GIF or PNG image attached to it. Most advertizing viagra in clear text with no obfuscation, a few advertizing stocks. FuzzyOCR still does quite well here. Loren
RE: DKIM vs DomainKeys plugins
Ok, seems to work now, not sure why it wasn't. Thanks all. -- Michael Scheidell, CTO SECNAP Network Security Corporation Keep up to date with latest information on IT security: Real time security alerts: http://www.secnap.com/news _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
Any mailbox-challenge plugin?
Hi everybody, anyone knows of a SA plugin to score mails based on challenging the sender e-mail? I don't mean C/R, but instead just attempt an SMTP session in order to see if the source mailbox is known to the sending domain's MX. If it isn't, the plugin applies a score to the e-mail. I know I could do something like this in my postfix, but this way I would totally reject e-mails carrying a wrong From: header. Since some people seem to be a bit dyslectic in writing its own e-mail address, I would prefer not to reject unless there are some other reasons too (i.e.: the mail hits some other SA rules). Thanks, Giampaolo
Re: Any mailbox-challenge plugin?
Giampaolo Tomassoni wrote: Hi everybody, anyone knows of a SA plugin to score mails based on challenging the sender e-mail? I don't mean C/R, but instead just attempt an SMTP session in order to see if the source mailbox is known to the sending domain's MX. If it isn't, the plugin applies a score to the e-mail. I know I could do something like this in my postfix, but this way I would totally reject e-mails carrying a wrong From: header. Since some people seem to be a bit dyslectic in writing its own e-mail address, I would prefer not to reject unless there are some other reasons too (i.e.: the mail hits some other SA rules). Thanks, Giampaolo Giampaolo There are a number of milters that can help with this, such as milter-ahead and milter-sender Regards Michele -- Mr Michele Neylon Blacknight Solutions Hosting Colocation, Brand Protection http://www.blacknight.ie/ http://blog.blacknight.ie/ Tel. 1850 929 929 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 --- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
R: Any mailbox-challenge plugin?
-Messaggio originale- Da: Michele Neylon :: Blacknight [mailto:[EMAIL PROTECTED] Giampaolo Tomassoni wrote: Hi everybody, anyone knows of a SA plugin to score mails based on challenging the sender e-mail? I don't mean C/R, but instead just attempt an SMTP session in order to see if the source mailbox is known to the sending domain's MX. If it isn't, the plugin applies a score to the e-mail. I know I could do something like this in my postfix, but this way I would totally reject e-mails carrying a wrong From: header. Since some people seem to be a bit dyslectic in writing its own e-mail address, I would prefer not to reject unless there are some other reasons too (i.e.: the mail hits some other SA rules). Thanks, Giampaolo Giampaolo There are a number of milters that can help with this, such as milter-ahead and milter-sender Regards Michele Well, I'm actually running amavisd, so I guess I would need a SA plugin to do this. Thanks anyway. Giampaolo -- Mr Michele Neylon Blacknight Solutions Hosting Colocation, Brand Protection http://www.blacknight.ie/ http://blog.blacknight.ie/ Tel. 1850 929 929 Intl. +353 (0) 59 9183072 Direct Dial: +353 (0)59 9183090 Fax. +353 (0) 1 4811 763 --- Blacknight Internet Solutions Ltd, Unit 12A,Barrowside Business Park,Sleaty Road,Graiguecullen,Carlow,Ireland Company No.: 370845
Re: Any mailbox-challenge plugin?
Giampaolo Tomassoni wrote: Hi everybody, anyone knows of a SA plugin to score mails based on challenging the sender e-mail? I don't mean C/R, but instead just attempt an SMTP session in order to see if the source mailbox is known to the sending domain's MX. If it isn't, the plugin applies a score to the e-mail. I know I could do something like this in my postfix, but this way I would totally reject e-mails carrying a wrong From: header. Since some people seem to be a bit dyslectic in writing its own e-mail address, I would prefer not to reject unless there are some other reasons too (i.e.: the mail hits some other SA rules). Doing it at the MTA is called Sender Address Verification, and isn't considered to be that much better than C/R (it doesn't clutter a forged-sender's mail box, but it can bog down a forged-sender's mail server with verification requests). I wouldn't expect a sender verification plugin for SA to be any better liked than doing it at the MTA level.
Re: DNS Perl Help? [ot]
Theo Van Dinter wrote: On Sun, Jul 22, 2007 at 07:15:50AM -, [EMAIL PROTECTED] wrote: Mark Perkel wrote: If I have a string, what's that fastest way to count the number of periods in the string? in perl, I would probably split the string at the periods @parts = split /\./, $string; and then just use the number of splits $#parts I believe the official/fastest/shortest method is: $count = $string =~ y/.//; OK - Thanks for your help on that one, Still need the DNS stuff figured out, That's the last piece in what will be an extrodinarilly powerful whitelisting system. I'll publish the code once it is tested. I think a lot of people will want to use it and improve it.
R: Any mailbox-challenge plugin?
-Messaggio originale- Da: John Rudd [mailto:[EMAIL PROTECTED] Giampaolo Tomassoni wrote: Hi everybody, anyone knows of a SA plugin to score mails based on challenging the sender e-mail? I don't mean C/R, but instead just attempt an SMTP session in order to see if the source mailbox is known to the sending domain's MX. If it isn't, the plugin applies a score to the e-mail. I know I could do something like this in my postfix, but this way I would totally reject e-mails carrying a wrong From: header. Since some people seem to be a bit dyslectic in writing its own e-mail address, I would prefer not to reject unless there are some other reasons too (i.e.: the mail hits some other SA rules). Doing it at the MTA is called Sender Address Verification, Oh, yes. That's it. Tank you: I couldn't recall its name. and isn't considered to be that much better than C/R (it doesn't clutter a forged-sender's mail box, but it can bog down a forged-sender's mail server with verification requests). Well, it may be. I know, however, that a lot of people is doing this at the MTA level in order to reject mails with forget sender. Also, SAV's drawbacks may probably be mitigated by caching the results. I wouldn't expect a sender verification plugin for SA to be any better liked than doing it at the MTA level. I don't mind to do something more polite with MXes or better effective than its equivalent at the MTA level. I would like not to trash incoming mails solely because they failed a SAV check, thereby I would need a SA plugin for this. Giampaolo
Re: Spam Du Jour ? *.XLS -- packed into zip now
On Sun, 22 Jul 2007, Robert Schetterer wrote: http://sanesecurity.co.uk/clamav/ catches it now As seen before, they react fast on news on this list :-) Now I got the same 'XLS' *inside* a *.zip file! Stucki -- Christoph von Stuckrad * * |nickname |[EMAIL PROTECTED] \ Freie Universitaet Berlin |/_*|'stucki' |Tel(days):+49 30 838-75 459| Mathematik Informatik EDV |\ *|if online|Tel(else):+49 30 77 39 6600| Takustr. 9 / 14195 Berlin * * |on IRCnet|Fax(alle):+49 30 838-75 454/
Re: Bye for good FuzzyOCR
Loren Wilton schrieb: I'm not recieving much of it anymore anyways. FWIW, about 20% of the spam I got today had either a GIF or PNG image attached to it. Most advertizing viagra in clear text with no obfuscation, a few advertizing stocks. FuzzyOCR still does quite well here. Loren I'm not saying that it doesnt work well anymore, i'm just saying that i dont need it anymore to bring my spam to above 10 points, what happened for me lately was the following: image spam was above 10 pts already and fuzzyocr didnt run so fuzzyocr only ran for ham with images completely wasting resources so i uninstalled it
Re: DKIM vs DomainKeys plugins
Michael Scheidell wrote: Ok, seems to work now, not sure why it wasn't. Thanks all. Not sure why it wasn't either. However, the test message I sent you, and CCed to my verizon address, failed. but a copy sent back to my own yahoo account passed. Looking at the messages, apparently verizon re-arranges the message headers for no good reason. The one to myself on yahoo had this header order.. X-Apparently-To: X-Originating-IP: Authentication-Results: Received: Received: DomainKey-Signature: Received: X-YMail-OSG: Message-ID: Date: From: [EMAIL PROTECTED] User-Agent: MIME-Version: To: [EMAIL PROTECTED] Subject: test Content-Type: Content-Transfer-Encoding: The one sent to verizon had: Received: Received: Received: Date: From: [EMAIL PROTECTED] Subject: X-Originating-IP: To: [EMAIL PROTECTED] Message-id: MIME-version: Content-type: Content-transfer-encoding: DomainKey-Signature: X-YMail-OSG: User-Agent: So Verizon has moved the Subject, Content-*, Subject, From/Too, date, message-id and even yahoo's own Received: header up above the DK signature. This of course results in: dbg: dkim: signature verification result: fail (message has been altered) and thus the message hits DKIM_POLICY_SIGNSOME and DKIM_SIGNED, but not DKIM_VERIFIED. Perhaps your earlier tests had a message that was somehow modified...
Re: My bash script to upload PDFinfo daily, safely
I have found SaneSecurity definitions to be VERY good - they hit about 60% of my SPAM which is incredible given that they only match exact results (they are not fuzzy). However this high percentage may be beacuse I am based in the UK as is the author of the sanesecurity definitions. Also they tend to hit already high scoring spam so they arn't a miracle spam fighting measure though they are good. My biggest concern was over possible false positives given that there is only one person working on these definitions unlike the official ClamAV signatures... However I have yet to have any problems with them in the month that I have been using them. There are also two other sets of ClamAV signatures which I am now testing (though these are not as good IMHO): http://www.malware.com.br/ (various formats including ClamAV) http://www.msrbl.com/site/ (ClamAV as well as RBLs) As a solution to my own concerns over false positives I have changed from virus scanning at SMTP time and have moved to using the ClamAV SpamAssassin plugin: http://wiki.apache.org/spamassassin/ClamAVPlugin Rather than using the standard clamav.cf I have written my own which gives different scores depending on what ClamAV signature found somthing: loadplugin ClamAV clamav.pm full CLAMAV eval:check_clamav() describe CLAMAV Clam AntiVirus detected something... score CLAMAV 0.001 # Look for specific types of ClamAV detections header __CLAMAV_PHISH X-Spam-Virus =~ /Yes.{1,20}Phishing/i header __CLAMAV_SANE X-Spam-Virus =~ /Yes.{1,20}Sanesecurity/i header __CLAMAV_MBL X-Spam-Virus =~ /Yes.{1,20}MBL/ header __CLAMAV_MSRBL X-Spam-Virus =~ /Yes.{1,20}MSRBL/ # Give the above rules a very late priority so that they can see the output # of previous rules - otherwise they don't work! priority __CLAMAV_PHISH priority __CLAMAV_SANE priority __CLAMAV_MBL priority __CLAMAV_MSRBL # Work out what ClamAV detected and score accordingly meta CLAMAV_VIRUS (CLAMAV !__CLAMAV_PHISH !__CLAMAV_SANE !__CLAMAV_MBL !__CLAMAV_MSRBL) describe CLAMAV_VIRUS Virus found by ClamAV default signatures score CLAMAV_VIRUS 20.0 meta CLAMAV_PHISH (CLAMAV __CLAMAV_PHISH !__CLAMAV_SANE) describe CLAMAV_PHISH Phishing email found by ClamAV default signatures score CLAMAV_PHISH 10.0 meta CLAMAV_SANE (CLAMAV __CLAMAV_SANE) describe CLAMAV_SANE SPAM found by ClamAV SaneSecurity signatures score CLAMAV_SANE 7.5 meta CLAMAV_MBL (CLAMAV __CLAMAV_MBL) describe CLAMAV_MBL Malware found by ClamAV MBL signatures score CLAMAV_MBL 7.5 meta CLAMAV_MSRBL (CLAMAV __CLAMAV_MSRBL) describe CLAMAV_MSRBL SPAM found by ClamAV MRSBL signatures score CLAMAV_MSRBL 2.0 Hope this is of some help to someone... -- View this message in context: http://www.nabble.com/My-bash-script-to-upload-PDFinfo-daily%2C-safely-tf4115144.html#a11732078 Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Bye for good FuzzyOCR
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Jul 22, 2007, at 9:43 AM, arni wrote: Loren Wilton schrieb: I'm not recieving much of it anymore anyways. FWIW, about 20% of the spam I got today had either a GIF or PNG image attached to it. Most advertizing viagra in clear text with no obfuscation, a few advertizing stocks. FuzzyOCR still does quite well here. Loren I'm not saying that it doesnt work well anymore, i'm just saying that i dont need it anymore to bring my spam to above 10 points, what happened for me lately was the following: image spam was above 10 pts already and fuzzyocr didnt run so fuzzyocr only ran for ham with images completely wasting resources so i uninstalled it I upgraded a system to SA 3.2, which I see now is not compatible with FuzzyOCR yet. I started getting a bunch of image spam again. :( I wish I had it again... David Morton Maia Mailguard http://www.maiamailguard.com [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (Darwin) iD8DBQFGo50uUy30ODPkzl0RAo21AKCTAMr7jzTWzGpK3OecGbZPf5C9sgCeINqK sBInshdfo4UtouQAAuzoPsQ= =8GFu -END PGP SIGNATURE-
Re: Bye for good FuzzyOCR
David Morton wrote the following on 7/22/2007 11:08 AM -0800: On Jul 22, 2007, at 9:43 AM, arni wrote: Loren Wilton schrieb: I'm not recieving much of it anymore anyways. FWIW, about 20% of the spam I got today had either a GIF or PNG image attached to it. Most advertizing viagra in clear text with no obfuscation, a few advertizing stocks. FuzzyOCR still does quite well here. Loren I'm not saying that it doesnt work well anymore, i'm just saying that i dont need it anymore to bring my spam to above 10 points, what happened for me lately was the following: image spam was above 10 pts already and fuzzyocr didnt run so fuzzyocr only ran for ham with images completely wasting resources so i uninstalled it I upgraded a system to SA 3.2, which I see now is not compatible with FuzzyOCR yet. I started getting a bunch of image spam again. :( I wish I had it again... I'm running SA 3.2.1 and FuzzyOCR is running just fine here. Bill
Re: Bye for good FuzzyOCR
Bill Landry schrieb: I'm running SA 3.2.1 and FuzzyOCR is running just fine here. Bill ran fine on 3.2.0 for me ...
Everything marked as Spam
We moved servers and tried a different email system (but that is a whole different story). This new server has SA 3.2.1 from source using spamd w/no options passed. We are trying Bongo email system which, i believe uses netmail. Problem is, SA is marking everything as spam. We use sa-update and botnet and ixhash plugins, thats all. What do i do so SA does not mark evrything as spam? Chris begin:vcard n:Arnold;Chris fn:Arnold, Chris url:http://www.mytimewithgod.net version:2.1 email;internet:[EMAIL PROTECTED] end:vcard
Re: Everything marked as Spam
At 11:45 22-07-2007, [EMAIL PROTECTED] wrote: We moved servers and tried a different email system (but that is a whole different story). This new server has SA 3.2.1 from source using spamd w/no options passed. We are trying Bongo email system which, i believe uses netmail. Problem is, SA is marking everything as spam. We use sa-update and botnet and ixhash plugins, thats all. What do i do so SA does not mark evrything as spam? Provide a sample of the messages incorrectly marked as spam. Regards, -sm
Re: Bye for good FuzzyOCR
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 David Morton wrote: On Jul 22, 2007, at 9:43 AM, arni wrote: Loren Wilton schrieb: I'm not recieving much of it anymore anyways. FWIW, about 20% of the spam I got today had either a GIF or PNG image attached to it. Most advertizing viagra in clear text with no obfuscation, a few advertizing stocks. FuzzyOCR still does quite well here. Loren I'm not saying that it doesnt work well anymore, i'm just saying that i dont need it anymore to bring my spam to above 10 points, what happened for me lately was the following: image spam was above 10 pts already and fuzzyocr didnt run so fuzzyocr only ran for ham with images completely wasting resources so i uninstalled it I upgraded a system to SA 3.2, which I see now is not compatible with FuzzyOCR yet. I started getting a bunch of image spam again. :( I wish I had it again... Try using the SVN Version (revision 132). This is basically the same as the latest 3.5.x release but some issues with SA 3.2.x were fixed. Best regards, Chris David Morton Maia Mailguard http://www.maiamailguard.com [EMAIL PROTECTED] -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.4 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGo7LoJQIKXnJyDxURAluRAJ9E2BMNncHnPymSY5BDCjr5uOOK+QCfZVll 6MOrbLP0OWQeveEi3raL9Nw= =BkuK -END PGP SIGNATURE-
migrating from clamav before mta to SA ClamAV plugin experiences
Would anyone care to share their experiences of migrating from having their pre MTA program handoff to clamav for email virus scanning changed to doing it with the SA ClamAV plugin way ??? The reason I am thinking about migrating and doing it with the SA ClamAV plugin way is that I can just reject the email at the SMTP level instead of storing it as a quarantine... Well, at least I haven't figured out how to do smtp reject the other way yet. Thanks in advance - rh
Re: R: Any mailbox-challenge plugin?
Giampaolo Tomassoni wrote: anyone knows of a SA plugin to score mails based on challenging the sender e-mail? I don't mean C/R, but instead just attempt an SMTP session in order to see if the source mailbox is known to the sending domain's MX. If it isn't, the plugin applies a score to the e-mail. -Messaggio originale- Da: John Rudd [mailto:[EMAIL PROTECTED] Doing it at the MTA is called Sender Address Verification, and isn't considered to be that much better than C/R (it doesn't clutter a forged-sender's mail box, but it can bog down a forged-sender's mail server with verification requests). On 22.07.07 16:22, Giampaolo Tomassoni wrote: Well, it may be. I know, however, that a lot of people is doing this at the MTA level in order to reject mails with forget sender. I am really curious how do they behave when there's forged sender and both MTA's use this. Either they will cycle forever (so they will never know if either address is OK), or they will stop checking (so the spam will pass because spammer forged domain with SAV implemented) or the mail (even legitimate!) just will not pass... Once I'll try this on two or more such systems (in parallel!) and see if they will DoS each other... Also, SAV's drawbacks may probably be mitigated by caching the results. I don't think so. The problem with first connection will still defeat the whole system... at SA level it may be much worse because your computer will spend much more CPU cycles when checking it. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody
Re: migrating from clamav before mta to SA ClamAV plugin experiences
On 22.07.07 13:16, Robert - eLists wrote: Would anyone care to share their experiences of migrating from having their pre MTA program handoff to clamav for email virus scanning changed to doing it with the SA ClamAV plugin way ??? The reason I am thinking about migrating and doing it with the SA ClamAV plugin way is that I can just reject the email at the SMTP level instead of storing it as a quarantine... Well, at least I haven't figured out how to do smtp reject the other way yet. which MTA are you using? The clamav plugin should reject the e-mail the same way SA plugin does that (with much less CPU time spent) -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They say when you play that M$ CD backward you can hear satanic messages. That's nothing. If you play it forward it will install Windows.
RE: migrating from clamav before mta to SA ClamAV plugin experiences
which MTA are you using? The clamav plugin should reject the e-mail the same way SA plugin does that (with much less CPU time spent) Uhlar I use qmail-scanner-queue.pl, clamav, spamassassin and qmail I can reject spam over a certain scoring threshold this way, yet I have not figured out a way to just reject email based upon having a virus signature per clamav. So, I thought I would remove clamav from qmail-scanner-queue.pl and let clamav be called from the SA ClamAV Plugin... This way I can reject the email once it scores over a certain threshold and not have it handled by quarantine etc. - rh
Re: Everything marked as Spam
SM wrote: At 11:45 22-07-2007, [EMAIL PROTECTED] wrote: We moved servers and tried a different email system (but that is a whole different story). This new server has SA 3.2.1 from source using spamd w/no options passed. We are trying Bongo email system which, i believe uses netmail. Problem is, SA is marking everything as spam. We use sa-update and botnet and ixhash plugins, thats all. What do i do so SA does not mark evrything as spam? Provide a sample of the messages incorrectly marked as spam. Or at the very least the X-Spam-Status headers from 3 different messages indicating what rules are hitting.. perhaps there's a pattern...
R: R: Any mailbox-challenge plugin?
-Messaggio originale- Da: Matus UHLAR - fantomas [mailto:[EMAIL PROTECTED] ...omissis... I am really curious how do they behave when there's forged sender and both MTA's use this. Either they will cycle forever (so they will never know if either address is OK), or they will stop checking (so the spam will pass because spammer forged domain with SAV implemented) or the mail (even legitimate!) just will not pass... Once I'll try this on two or more such systems (in parallel!) and see if they will DoS each other... No, Matus: they don't cycle. An MTA willing to check the existence of a sender address would do this before its reply after end of DATA (i.e.: after having received the message). Instead, an MTA would inform its peer of a non-existent mailbox after RCPT-TO (with a 5XX error code), which is well before DATA. The checking system need not proceed to DATA in order to check the existence of a mailbox, so there is no cycle... Also, SAV's drawbacks may probably be mitigated by caching the results. I don't think so. The problem with first connection will still defeat the whole system... at SA level it may be much worse because your computer will spend much more CPU cycles when checking it. ... and no DoS. Caching would help, instead, when a large number of messages with the very same sender are received. This is a quite common pattern in spam. Giampaolo -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody
Re: R: R: Any mailbox-challenge plugin?
Giampaolo Tomassoni wrote: -Messaggio originale- Da: Matus UHLAR - fantomas [mailto:[EMAIL PROTECTED] ...omissis... I am really curious how do they behave when there's forged sender and both MTA's use this. Either they will cycle forever (so they will never know if either address is OK), or they will stop checking (so the spam will pass because spammer forged domain with SAV implemented) or the mail (even legitimate!) just will not pass... Once I'll try this on two or more such systems (in parallel!) and see if they will DoS each other... No, Matus: they don't cycle. An MTA willing to check the existence of a sender address would do this before its reply after end of DATA (i.e.: after having received the message). Instead, an MTA would inform its peer of a non-existent mailbox after RCPT-TO (with a 5XX error code), which is well before DATA. The checking system need not proceed to DATA in order to check the existence of a mailbox, so there is no cycle... I believe the more direct reason why there wont be a cycle/loop is that: When doing SAV, the checking host should set its Mail-From to . So, if someone tries to send me a message from [EMAIL PROTECTED], and I were to use SAV (which I don't), then the SAV check should have these transactions: HELO $MYHOST Mail-From: RCPT-To: [EMAIL PROTECTED] QUIT The reason why this shouldn't cause a loop is that RFCs specifically state that a valid Mail-From, and should always be accepted. Therefore, the other side should never reject (and therefore never check) the validity of as a mail-from.
Now its zip attachments ^^
This night it seems like we're beeing spammed again by xml documents, but this time neatly packed into a zipfile: I'm really excited whats going to happen next. Maybe psd files embedded in pdf and then rar'ed. And i'd still like to meet the person that goes through all that trouble to read that spam, and then performs the action that the spammer wants from him. arni
Re: Now its zip attachments ^^
On Sun, July 22, 2007 6:47 pm, John Rudd wrote: For multi-lingual reasons, just allow pain ascii or unicode, and throw away any messages with any body types other than that. I'd like to ban all those people who write in the tiniest font they can find. Then there's my one brother who always has the dancing bears, etc. in his messages. I tend to reply with bright green on yellow. :) -- Jerry Durand, Durand Interstellar, Inc. Los Gatos, California USA tel: +1 408 356-3886, USA toll free: 1 866 356-3886 web: www.interstellar.com, skype: jerrydurand
RE: Now its zip attachments ^^
Not sure I agree about banning all attachments, but I would like to ban all email with fonts as BIG as people can find and those which use any kind of background stationary.
Re: New PDF?
WebTent wrote: I have a few PDF's getting through now after doing pretty good, the latest 0.4 pdfinfo + sa 3.1.7 + sare rules + sa-update is not scoring enough on these: Current version is v0.6. And sigs for those were added last Thursday... http://esmtp.webtent.net/mail1.txt * 0.6 GMD_PDF_ENCRYPTED BODY: Attached PDF is encrypted * 2.0 GMD_PDF_FUZZY2_T11 BODY: Fuzzy tags Match * 5A4CB7600371063164BB7AFA6EDE7FE9 * 0.2 GMD_PDF_EMPTY_BODY BODY: Attached PDF with empty message body * 3.0 GMD_PDF_STOX_M4 PDF Stox spam http://esmtp.webtent.net/mail2.txt * 2.0 GMD_PDF_FUZZY2_T9 BODY: Fuzzy tags Match * 875C8F0810E6524EF0C3A7C4221A4C28 * 0.6 GMD_PDF_ENCRYPTED BODY: Attached PDF is encrypted * 0.2 GMD_PDF_EMPTY_BODY BODY: Attached PDF with empty message body * 3.0 GMD_PDF_STOX_M4 PDF Stox spam -- Dallas Engelken [EMAIL PROTECTED] http://uribl.com
Re: New PDF?
Current version is v0.6. And sigs for those were added last Thursday... The web page at http://www.rulesemporium.com/plugins.htm still identifies it as 0.4 with a mod date 0f July 16, FYI. The linked file is 0.6, though. -- Dave Pooser Cat-Herder-in-Chief, Pooserville.com ...Life is not a journey to the grave with the intention of arriving safely in one pretty and well-preserved piece, but to slide across the finish line broadside, thoroughly used up, worn out, leaking oil, and shouting GERONIMO!!! -- Bill McKenna
Fake MX Record
On http://wiki.apache.org/spamassassin/OtherTricks (Fake MX Record) , where do I insert these values: fake0.domain.com 10 realmx.domain.com 20 fake1.domain.com 30 TIA.
Re: Fake MX Record
At 08:17 PM 7/22/2007, Bubuk Gabrok wrote: On http://wiki.apache.org/spamassassin/OtherTricks (Fake MX Record) , where do I insert these values: fake0.domain.com 10 realmx.domain.com 20 fake1.domain.com 30 TIA. In your Zonefile for your DNS. Evan
Re: Fake MX Record
On 7/23/07, Evan Platt [EMAIL PROTECTED] wrote: At 08:17 PM 7/22/2007, Bubuk Gabrok wrote: On http://wiki.apache.org/spamassassin/OtherTricks (Fake MX Record) , where do I insert these values: fake0.domain.com 10 realmx.domain.com 20 fake1.domain.com 30 TIA. In your Zonefile for your DNS. Evan Thanks Evan. I am using webmin to create and edit all my DNS entries. Now suppose if I want to create Fake MX Record for example.com, I would go to BIND DNS Server from the Servers main menu item right? Then I should click on example.com and click on Edit Records File and insert to values that I have mentioned before. Am I on the right track? ... ... www.example.com.IN A aaa.bbb.ccc.ddd example.com.IN MX 10 mail.example.com fake0.domain.com 10 realmx.domain.com 20 fake1.domain.com 30 Do I need to replace domain.com to example.com ? Please advise.
Re: Fake MX Record
At 20:17 22-07-2007, Bubuk Gabrok wrote: On http://wiki.apache.org/spamassassin/OtherTricks (Fake MX Record) , where do I insert these values: Set your DNS records accordingly. The statement that No good email is lost is subjective. Regards, -sm