Re: BOTNET Exceptions for Today
John Rudd wrote: > René Berber wrote: >> Here's a good example of why Botnet's default score is too high, those >> guys at >> meridiencancun have a so called "Enterprise account" with their ISP, >> what they >> get is a fixed IP and no control over reverse DNS, that's why the reverse >> returns what the ISP configured. Best practices and other fiction >> don't apply >> to the real world in cases like this. > > As for "best practices" being "fiction" that "doesn't apply to the real > world" ... it's rinky-dink mail servers run by people with half-assed > opinions like that that cause there to be such a huge number of > exploited mail servers on the planet. Exploited mail servers are badly configured mail servers, that's a whole different subject from what is being discussed. > People who think "best practices" are "fiction" are the scourge that > makes the internet such an unreliable place. > > Here kid, have a nickel. Go buy yourself a real mail server. I'm not a kid, so I would appreciate some respect. If you think I don't know what I'm talking about, that's your prerogative, you don't really know me. -- René Berber
ham mail marked as spam
Hi Suddenly my collegue mails are recieved as spam by 3.1.7 SA. I added to them on white list entry. Why it comes like this suddenly? any solution? -- Sg
Re: BOTNET Exceptions for Today
René Berber wrote: Bret Miller wrote: I keep saying that I have false positives with botnet, but haven't substantiated that to date. So, today I'm spending a little time making exceptions since I would like this to work. Here are todays: [snip] meridiencancun.com.mx, sent from IP , resolves to customer-148-233-9-212.uninet-ide.com.mx #more stupidity Here's a good example of why Botnet's default score is too high, those guys at meridiencancun have a so called "Enterprise account" with their ISP, what they get is a fixed IP and no control over reverse DNS, that's why the reverse returns what the ISP configured. Best practices and other fiction don't apply to the real world in cases like this. As for "best practices" being "fiction" that "doesn't apply to the real world" ... it's rinky-dink mail servers run by people with half-assed opinions like that that cause there to be such a huge number of exploited mail servers on the planet. People who think "best practices" are "fiction" are the scourge that makes the internet such an unreliable place. Here kid, have a nickel. Go buy yourself a real mail server. Yes it can be called stupidity, but in this case is the ISP and the legitimate business can't do much about it; very few ISPs in the .mx zone allow you any control over reverse DNS, perhaps none in the region that hotel operates. And if they had done something intelligent, like having their mail domain (meridiencancun.com.mx) have an A record that points to that same static IP address ... or have an MX record that points back to a hostname with that static IP address, then Botnet wouldn't catch them. The only fiction here is that they need to have control of their rDNS in order to get an exemption from Botnet.
Re: Suggested botnet rule scores
Nix wrote: On 21 Aug 2007, Kai Schaetzl said: Nix wrote on Tue, 21 Aug 2007 09:26:18 +0100: It's not dynamic, but Botnet isn't just looking for dynamic IPed hosts, but also hosts with e.g. the string `adsl' in its rDNS, even if that host happens to have a static assignment. Well, if it's static they can give you rDNS and you can use a hostname of your choice for A and PTR. My ISP doesn't give me that option (well, OK, it probably gives *me* that option because I can bug the ISP's technical director, but not people who've posted bonds). I'd venture to guess that the vast majority of small business UK ISPs, even those that do not provide useful outbound relaying MTAs, do not delegate rDNS to individual users. And they can't set one of the MX records, or A records, for their mail domain to be the same as that of the static IP address their static IP address? Because EITHER one of those things will trigger an exception for Botnet. (Of course, this is all sophistry to an extent: right now the vast majority of mail sent directly from ADSL lines *is* probably sent from botted hosts. :( ) Right... which pretty much confirms the motivation behind Botnet. Yes, it's a _policy_ based mechanism instead of a "spam detection" mechanims, but the sad truth is that it works MUCH more often than it fails.
Re: Rule for this kind of spam?
On Monday 20 August 2007, Rob McEwen wrote: > In one of these cases, the message contains ONLY letters and numbers... all > other spaces, line breaks, and punctuation has been removed. Even > underscores are removed. Have you considered the opposite? Removing all letters, numbers and spaces, leaving only punctuation and line breaks? Its very rare to have valid sentences composed of lines with more than, say 4 or 5 punctuation marks per line. I wonder if one could develop rule around bodies composed of more than, say X number of excessively punctuated lines. -- _ John Andersen
Re: Question - How many of you run ALL your email through SA?
On Tue, 21 Aug 2007 at 17:43 -0700, [EMAIL PROTECTED] confabulated: On Aug 21, 2007, at 11:48 AM, Duane Hill wrote: Ok. I just examined the clamav.pm plugin and it does appear to pass the message text directly to the ClamAV daemon through the use of the File::Scan::ClamAV perl module. Therefore, it doesn't sound like a temp file is created. Read the code of that module. The ClamAV plugin passes the test of the message using: my ($code, $virus) = $clamav->streamscan(${$fulltext}); $fulltext is the text that was sent to the plugin from SA. 'streamscan' then establishes a TCP connection to the ClamAV daemon and feeds the text to it: sub streamscan { my ($self) = shift; my $data = join '', @_; $self->_seterrstr; my $conn = $self->_get_connection || return; $self->_send($conn, "STREAM\n"); chomp(my $response = $conn->getline); my @return; if($response =~ /^PORT (\d+)/){ if((my $c = $self->_get_tcp_connection($1))){ $self->_send($c, $data); $c->close; chomp(my $r = $conn->getline); if($r =~ /stream: (.+) FOUND/i){ @return = ('FOUND', $1); } else { @return = ('OK'); } } else { $conn->close; return; } } $conn->close; return @return; } --- _|_ (_| |
Re: Blacklist problems!
Michael Chapman wrote: > Hi there: > > This should be a fairly simple question for the experts out there ... > everything I'm receiving is being blacklisted, and the reports > indicate that all these messages are flagged as "USER_IN_BLACKLIST." > Where? I don't have a user_prefs, and my global is really simple: First, I assume by your "global" you mean your local.cf Have you tried the simple approach of commenting out all your blacklist_from commands? Do you have *ANY* other .cf files in the same directory as your local.cf? SA will read ALL of them, and use ALL of them. Are you sure you're even using the right directory? Try running spamassassin --lint -D and the earlier parts of the debug output should list all the directories and files SA is using. In particular this line could be quite useful to you: [22185] dbg: config: using "/etc/mail/spamassassin" for site rules dir Along with the lines that follow indicating all the .cf files Looking at the message headers, I'm assuming you're using SpamAssassin 3.2.2. You really should include that kind of info in your posts. One part that makes me wonder what's missing is your own system seems to have generated: X-Old-Spam-Status: No, score=-0.9 required=8.0 tests=AWL,BAYES_00, USER_IN_BLACKLIST,USER_IN_WHITELIST autolearn=ham version=3.2.2 I don't see anything in your posted config that would have blacklisted OR whitelisted the message. But somehow, it got both. Also, using your same configuration (as posted) I get: X-Spam-Status: No, score=-2.8 required=8.0 tests=RCVD_IN_DNSWL_MED, RCVD_IN_SORBS_WEB,RDNS_NONE autolearn=ham version=3.2.3 Admittedly a different version of SA, but that shouldn't affect the white/blacklist decisions. That's telling me there's more to your config than you think. Personally, I think the --lint -D should take you pretty far into finding out what's going on, or at least give you all the files you need to grep. You could also try running a message through spamassassin -D on the command line. This would tell you which exact address matched a blacklist, but you'd have to wade deep into the debug output to find it.
RE: Bouncing emails from certain countries
This would work fine if you expect emails only from those countries. Our company does business in Central & South America as well (which also means allowing lots of Spanish & Portuguese). We do not do business in Europe or Asia and I see quite a bit of spam from from *.ru and *.su. I do not have a country-based solution in place as the vast majority are caught in other rules. - Skip > I used IP::Country::Fast to block everything except canada and usa... > > I've only had to add one company to an allow list because > they are in Italy... > > I don't think its that bad of a solution, > depending on where your companies customers are located..
Re: BOTNET Exceptions for Today
On Tue, 21 Aug 2007 16:56:27 -0500 Andy Sutton <[EMAIL PROTECTED]> wrote: > On Tue, 2007-08-21 at 13:42 -0700, John Rudd wrote: > > b) Botnet gets 0% false positives at one of my services (not just > > "borked DNS == bad", as you're suggesting, but actual "everything > > that triggered botnet was actually spam"). And, yes, I actually > > check > > I never suggested that. Um, you suggested _exactly_ that. From the message John was replying to (<[EMAIL PROTECTED]>): On Tue, 2007-08-21 at 13:08 -0700, Bret Miller wrote: > When I see on the list that many people run botnet with ZERO false > positives, I have to ask myself, "how? Anyone who claims that isn't really looking at the email they are blocking, or don't believe borked DNS qualify as a FP. > A bit tetchy today? When you're presenting hyperbole as reasoned commentary, seems to me John has a right to be tetchy. If you had said what you said in this message originally, I suspect you would have gotten a different response. Mike.
Re: Bouncing emails from certain countries
I used IP::Country::Fast to block everything except canada and usa... I've only had to add one company to an allow list because they are in Italy... I don't think its that bad of a solution, depending on where your companies customers are located.. On 8/21/07, Skip Brott <[EMAIL PROTECTED]> wrote: > Out of curiosity (as this is a feature that I would like to have as well for > a couple of speficic countries), is there a reason that a couple of SA > plugins cant be used: > > http://wiki.apache.org/spamassassin/URICountryPlugin > Or > http://wiki.apache.org/spamassassin/RelayCountryPlugin > > I am not certain which of these would be the correct one to implement. > > - Skip > >
Fwd: Bouncing emails from certain countries
-- Forwarded message -- From: Daniel Aquino <[EMAIL PROTECTED]> Date: Aug 21, 2007 9:51 PM Subject: Re: Bouncing emails from certain countries To: "John D. Hardin" <[EMAIL PROTECTED]> I used IP::Country::Fast to block everything except canada and usa... I've only had to add one company to an allow list because they are in Italy... I don't think its that bad of a solution, depending on where your companies customers are located..
RE: Blacklist problems!
> No need for these settings if you have the above "ok_languages en" I think you are correct if you assume that emails coming from *.ru (for example), are written in something other than English, which is rarely the case. Much of the spam I see from *.ru and *.su is in English. - Skip
Re: Question - How many of you run ALL your email through SA?
On Aug 21, 2007, at 1:42 PM, Marc Perkel wrote: I've been using Clam but I've heard of Amavisd - do I want it? What all does it do? amavisd-new provides a nice front-end for virus and spamassassin scanning. It's like using spamd, but a lot more featurefull. In my case it was the easiest way to (a) snap into sendmail without using a separate front-end scanner and (b) had useful end-user tools for managing spam controls. That said, it does white/black/etc listing in its own databases, not the SA ones, etc etc. So research it. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Question - How many of you run ALL your email through SA?
On Aug 21, 2007, at 11:48 AM, Duane Hill wrote: Ok. I just examined the clamav.pm plugin and it does appear to pass the message text directly to the ClamAV daemon through the use of the File::Scan::ClamAV perl module. Therefore, it doesn't sound like a temp file is created. Read the code of that module. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Suggested botnet rule scores
Nix wrote on Tue, 21 Aug 2007 23:24:23 +0100: > (Personally I'd prefer that *no* single rule could push a mail more than > halfway towards spamminess...) Absolutely agreed, with a few exceptions, like Bayes_99 :-) Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: BOTNET Exceptions for Today
Bret Miller wrote: > I keep saying that I have false positives with botnet, but haven't > substantiated that to date. So, today I'm spending a little time making > exceptions since I would like this to work. Here are todays: [snip] > meridiencancun.com.mx, sent from IP , resolves to > customer-148-233-9-212.uninet-ide.com.mx #more stupidity Here's a good example of why Botnet's default score is too high, those guys at meridiencancun have a so called "Enterprise account" with their ISP, what they get is a fixed IP and no control over reverse DNS, that's why the reverse returns what the ISP configured. Best practices and other fiction don't apply to the real world in cases like this. Yes it can be called stupidity, but in this case is the ISP and the legitimate business can't do much about it; very few ISPs in the .mx zone allow you any control over reverse DNS, perhaps none in the region that hotel operates. [snip] -- René Berber
Re: Blacklist problems!
Maybe you don't have a user_prefs, but then maybe you are not the user calling SpamAssassin. find / -name user_prefs | xargs grep -i blacklist_from find / -name local.cf | xargs grep -i blacklist_from Gary V or (better) find / -name user_prefs | xargs grep -i blacklist_ find / -name local.cf | xargs grep -i blacklist_ It was mentioned to check all .cf files, good idea: find / -name *.cf | xargs grep -i blacklist_ _ See what youre getting into before you go there http://newlivehotmail.com/?ocid=TXT_TAGHM_migration_HM_viral_preview_0507
Re: Blacklist problems!
I had to dive back into spam to get your message though. Michael Chapman wrote: Well, nothing has worked so far ... every message that I have coming in (except for the specifically white-listed messages from this mailing list) have USER_IN_BLACKLIST flagged. Where on earth is it getting this? You've seen my local.cf, I don't have a user_prefs anymore (blew it away in hopes of resolving this.) My head hurts. Thanks! Michael Maybe you don't have a user_prefs, but then maybe you are not the user calling SpamAssassin. find / -name user_prefs | xargs grep -i blacklist_from find / -name local.cf | xargs grep -i blacklist_from Gary V or (better) find / -name user_prefs | xargs grep -i blacklist_ find / -name local.cf | xargs grep -i blacklist_ _ Learn.Laugh.Share. Reallivemoms is right place! http://www.reallivemoms.com?ocid=TXT_TAGHM&loc=us
Re: BOTNET Exceptions for Today
At 14:08 21-08-2007, John Rudd wrote: Technically, there is a problem with it: it violates best practices asserted by RFC 1912, section 2.1, which warns that not having matching PTR and A records can cause a loss/denial of internet services. You're right. Regards, -sm
Re: Blacklist problems!
Oh, and yes, I did restart SA. That's not a silly question, Andy! :) I had to dive back into spam to get your message though. Michael Chapman wrote: Well, nothing has worked so far ... every message that I have coming in (except for the specifically white-listed messages from this mailing list) have USER_IN_BLACKLIST flagged. Where on earth is it getting this? You've seen my local.cf, I don't have a user_prefs anymore (blew it away in hopes of resolving this.) My head hurts. Thanks! Michael Maybe you don't have a user_prefs, but then maybe you are not the user calling SpamAssassin. find / -name user_prefs | xargs grep -i blacklist_from find / -name local.cf | xargs grep -i blacklist_from Gary V _ Messenger Café open for fun 24/7. Hot games, cool activities served daily. Visit now. http://cafemessenger.com?ocid=TXT_TAGHM_AugHMtagline
Re: Suggested botnet rule scores
On 21 Aug 2007, Kai Schaetzl outgrape: > Nix wrote on Tue, 21 Aug 2007 09:27:11 +0100: > >> If anybody is really so stupid as to unconditionally block mail from >> hosts merely because of string matching in their rDNS, I'm not sure they >> *deserve* to see any email... > > No, it's stupid to send mail from "adsl" named ranges if you want to get > your mail read. I think we can drop this discussion. It doesn't matter > what you or I think, I just told you what's common practice and keeps > getting "commoner". I'm just pointing out, *again*, that this should not be the sole criterion. I don't think I've had any spam that's scored less than about 4.0 in a week or so: you don't need botnet to contribute much to push that above 5.0. (Personally I'd prefer that *no* single rule could push a mail more than halfway towards spamminess...)
Re: Suggested botnet rule scores
On 21 Aug 2007, Kai Schaetzl said: > Nix wrote on Tue, 21 Aug 2007 09:26:18 +0100: > >> It's not dynamic, but Botnet isn't just looking for dynamic IPed hosts, but >> also hosts with e.g. the string `adsl' in its rDNS, even if that host happens >> to have a static assignment. > > Well, if it's static they can give you rDNS and you can use a hostname of > your > choice for A and PTR. My ISP doesn't give me that option (well, OK, it probably gives *me* that option because I can bug the ISP's technical director, but not people who've posted bonds). I'd venture to guess that the vast majority of small business UK ISPs, even those that do not provide useful outbound relaying MTAs, do not delegate rDNS to individual users. (Of course, this is all sophistry to an extent: right now the vast majority of mail sent directly from ADSL lines *is* probably sent from botted hosts. :( )
Re: Blacklist problems!
Oh, and yes, I did restart SA. That's not a silly question, Andy! :) I had to dive back into spam to get your message though. Michael Chapman wrote: Well, nothing has worked so far ... every message that I have coming in (except for the specifically white-listed messages from this mailing list) have USER_IN_BLACKLIST flagged. Where on earth is it getting this? You've seen my local.cf, I don't have a user_prefs anymore (blew it away in hopes of resolving this.) My head hurts. Thanks! Michael Michael Chapman wrote: Thanks ... I can certainly take care of the whitelist items. The country codes are all remarked out, as I used the the ok_languages as you indicated. How will changing the whitelist entries prevent my incoming mail as being blacklisted? Thanks again! Michael I would set the following whitelist_from_rcvd *.musiciansfriend.com musiciansfriend.com whitelist_from_rcvd *.apache.org apache.org LOOK HERE FOR MORE INFO ON THIS OPTION http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html blacklist_from [EMAIL PROTECTED] required_hits 8 rewrite_header Subject [SPAM] report_safe 1 use_bayes 1 bayes_auto_learn 0 skip_rbl_checks 0 use_razor2 1 use_pyzor 1 ok_languagesen # Blacklist for foreign countries we don't care about getting mail from # #blacklist_from *.ar #blacklist_from *.tr #blacklist_from *.cn #blacklist_from *.hr #blacklist_from *.ru #blacklist_from *.tw No need for these settings if you have the above "ok_languages en" -=Aubrey=- Michael Chapman wrote: OK ... after diving back into my spam to get responses to this message, I turned off AWL in v310.pre and removed all blacklist items from local.cf and user_prefs. Still no joy. Everything is still getting flagged as before! What is going on? Thanks for all of your help so far, gang! Michael Michael Chapman wrote: Hi there: This should be a fairly simple question for the experts out there ... everything I'm receiving is being blacklisted, and the reports indicate that all these messages are flagged as "USER_IN_BLACKLIST." Where? I don't have a user_prefs, and my global is really simple: # These values can be overridden by editing ~/.spamassassin/user_prefs. cf # (see spamassassin(1) for details) # These should be safe assumptions and allow for simple visual sifting # without risking lost emails. whitelist_from *.musiciansfriend.com whitelist_from *.apache.org blacklist_from [EMAIL PROTECTED] required_hits 8 #report_safe 0 rewrite_header Subject [SPAM] # SpamAssassin config file for version 3.x # # NOTE: NOT COMPATIBLE WITH VERSIONS 2.5 or 2.6 # # See http://www.yrex.com/spam/spamconfig25.php for earlier versions # # Generated by http://www.yrex.com/spam/spamconfig.php (version 1.50) # # # How many hits before a message is considered spam. # required_score 5.0 # # # Encapsulate spam in an attachment (0=no, 1=yes, 2=safe) report_safe 1 # # # Enable the Bayes system use_bayes 1 # # # Enable Bayes auto-learning bayes_auto_learn 1 # # # Enable or disable network checks # skip_rbl_checks 0 use_razor2 1 #use_dcc 1 use_pyzor 1 # # # Mail using languages used in these country codes will not be marked # # as being possibly spam in a foreign language. #ok_languagesen # # # Mail using locales used in these country codes will not be marked # # as being possibly spam in a foreign language. ok_locales en # Blacklist for foreign countries we don't care about getting mail from # blacklist_from *.ar blacklist_from *.tr blacklist_from *.cn blacklist_from *.hr blacklist_from *.ru blacklist_from *.tw # # This all worked just fine when I was using RH9/SA 2.6. This is on Fedora 7 with SA 3.2.2. I am using procmail to process incoming mail, and using ClamAV for virus stuff. Is there a way I can reset the blacklist? This is driving me nuts. I don't want to use all_spam_to just to get my mail! Help! Please? Thanks! Michael
Re: BOTNET Exceptions for Today
On Tue, 2007-08-21 at 13:42 -0700, John Rudd wrote: > b) Botnet gets 0% false positives at one of my services (not just > "borked DNS == bad", as you're suggesting, but actual "everything that > triggered botnet was actually spam"). And, yes, I actually check I never suggested that. My thoughts were more along the lines of business critical email (oxymoron I know) that is sent from a clueless setup. I'm glad you have not run into that situation yet, but as time goes on the probability of FP increases to 1. That goes with any setup, not just botnet specific ones. > You might want to have an actual basis for your claims before you go > off making poorly informed generalizations about other people's mail > environments. A bit tetchy today? I'm not saying botnet is bad, as it obviously works for a lot of people. I also think it's great that you decided to share your work. However, you have to agree 0% FP is similar to saying 100% uptime. It may be fact right now, but tomorrow is always a different story. -- - Andy The test of courage comes when we are in the minority. The test of tolerance comes when we are in the majority. - Ralph W. Sockman
Re: Blacklist problems!
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Chapman schrieb: > Well, nothing has worked so far ... every message that I have coming in > (except for the specifically white-listed messages from this mailing > list) have USER_IN_BLACKLIST flagged. Where on earth is it getting > this? You've seen my local.cf, I don't have a user_prefs anymore (blew > it away in hopes of resolving this.) What's the "spamassassin --lint -D" output (running under the same user as your production setup)? This may show additional .cf files being used. - -- Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFGy12vxbHw2nyi/okRAk+7AJ95F/0rqHcp3ws3KcSN5qbNy2uRtwCcDOIJ fS/YGcwnyzsFMJTXEp9TZ4g= =0S+7 -END PGP SIGNATURE-
Re: Blacklist problems!
Well, nothing has worked so far ... every message that I have coming in (except for the specifically white-listed messages from this mailing list) have USER_IN_BLACKLIST flagged. Where on earth is it getting this? You've seen my local.cf, I don't have a user_prefs anymore (blew it away in hopes of resolving this.) My head hurts. Thanks! Michael Michael Chapman wrote: Thanks ... I can certainly take care of the whitelist items. The country codes are all remarked out, as I used the the ok_languages as you indicated. How will changing the whitelist entries prevent my incoming mail as being blacklisted? Thanks again! Michael I would set the following whitelist_from_rcvd *.musiciansfriend.com musiciansfriend.com whitelist_from_rcvd *.apache.org apache.org LOOK HERE FOR MORE INFO ON THIS OPTION http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html blacklist_from [EMAIL PROTECTED] required_hits 8 rewrite_header Subject [SPAM] report_safe 1 use_bayes 1 bayes_auto_learn 0 skip_rbl_checks 0 use_razor2 1 use_pyzor 1 ok_languagesen # Blacklist for foreign countries we don't care about getting mail from # #blacklist_from *.ar #blacklist_from *.tr #blacklist_from *.cn #blacklist_from *.hr #blacklist_from *.ru #blacklist_from *.tw No need for these settings if you have the above "ok_languages en" -=Aubrey=- Michael Chapman wrote: OK ... after diving back into my spam to get responses to this message, I turned off AWL in v310.pre and removed all blacklist items from local.cf and user_prefs. Still no joy. Everything is still getting flagged as before! What is going on? Thanks for all of your help so far, gang! Michael Michael Chapman wrote: Hi there: This should be a fairly simple question for the experts out there ... everything I'm receiving is being blacklisted, and the reports indicate that all these messages are flagged as "USER_IN_BLACKLIST." Where? I don't have a user_prefs, and my global is really simple: # These values can be overridden by editing ~/.spamassassin/user_prefs. cf # (see spamassassin(1) for details) # These should be safe assumptions and allow for simple visual sifting # without risking lost emails. whitelist_from *.musiciansfriend.com whitelist_from *.apache.org blacklist_from [EMAIL PROTECTED] required_hits 8 #report_safe 0 rewrite_header Subject [SPAM] # SpamAssassin config file for version 3.x # # NOTE: NOT COMPATIBLE WITH VERSIONS 2.5 or 2.6 # # See http://www.yrex.com/spam/spamconfig25.php for earlier versions # # Generated by http://www.yrex.com/spam/spamconfig.php (version 1.50) # # # How many hits before a message is considered spam. # required_score 5.0 # # # Encapsulate spam in an attachment (0=no, 1=yes, 2=safe) report_safe 1 # # # Enable the Bayes system use_bayes 1 # # # Enable Bayes auto-learning bayes_auto_learn 1 # # # Enable or disable network checks # skip_rbl_checks 0 use_razor2 1 #use_dcc 1 use_pyzor 1 # # # Mail using languages used in these country codes will not be marked # # as being possibly spam in a foreign language. #ok_languagesen # # # Mail using locales used in these country codes will not be marked # # as being possibly spam in a foreign language. ok_locales en # Blacklist for foreign countries we don't care about getting mail from # blacklist_from *.ar blacklist_from *.tr blacklist_from *.cn blacklist_from *.hr blacklist_from *.ru blacklist_from *.tw # # This all worked just fine when I was using RH9/SA 2.6. This is on Fedora 7 with SA 3.2.2. I am using procmail to process incoming mail, and using ClamAV for virus stuff. Is there a way I can reset the blacklist? This is driving me nuts. I don't want to use all_spam_to just to get my mail! Help! Please? Thanks! Michael
Re: BOTNET Exceptions for Today
I don't know, but botnet hits a significant amount of legitimate email here, regardless of how badly configured the sending servers are. I set botnet to score two, and I flag as spam at four. Every time I've had a false positive botnet hit, other rules have been enough to keep the score below four. When I first configured botnet I monitored it closely and didn't find a single instance of it pushing ham over four. Of course my email profile is probably very different from yours. You need to find your own proper balance of scores. I just don't have the option of telling our president's assistant that "we can't accept email from your husband because the IT department at the City of Pasadena won't fix their DNS issues for their email server." That's just not acceptable in a corporate environment Really? Then I wouldn't want to work in that corporate environment. Of course I believe if you're marking a message as spam solely based on botnet, then your server is misconfigured. But as I said, each to his own mail profile.
Re: BOTNET Exceptions for Today
Bret Miller wrote on Tue, 21 Aug 2007 13:08:06 -0700: > When I see on the list that many people run botnet with ZERO false > positives, I have to ask myself, "how? And why is our setup here so > different?" Perhaps they already block email with invalid rdns at the MTA > level, so none of this ever gets looked at. Perhaps their users just give up > when they don't get email that they expect and use a free email account > instead for that email. I don't know, but botnet hits a significant amount > of legitimate email here, regardless of how badly configured the sending > servers are. Well, the point is: do you want to accept mail from servers that are not correctly set up? Then better don't use Botnet or use lower scores. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: Question - How many of you run ALL your email through SA?
Marc Perkel wrote: > > > Jo Rhett wrote: >> On Aug 21, 2007, at 11:17 AM, Duane Hill wrote: >>> On Tue, 21 Aug 2007 at 11:03 -0700, [EMAIL PROTECTED] >>> confabulated: It seems to mostly help when it drops the message into a file for clamav to scan. >>> >>> Is that using the ClamAV plugin or outside of SA completely? I am >>> currently using the ClamAV plugin with the SaneSecurity additions. >> >> I'm using Amavisd, which invokes clamav itself before calling SA. So >> your environment may be entirely different. >> >> Examine the process and see if/when/how it uses temporary files. It >> always seems to be faster using a ramdisk for the temp files. >> > > I've been using Clam but I've heard of Amavisd - do I want it? What all > does it do? > See: http://www.ijs.si/software/amavisd/ for details. Bill
Re: BOTNET Exceptions for Today
SM wrote: The server.nch.com.au case is an interesting one. Technically, there isn't anything wrong with that setup. But I digress as we are talking about antispam here. Technically, there is a problem with it: it violates best practices asserted by RFC 1912, section 2.1, which warns that not having matching PTR and A records can cause a loss/denial of internet services.
Need a plugin written relating to black/white/yellow lists
I'd like to get some people to take an idea that I'm been using successfully for a long time that I would like to see implemented in SA. I'm doing it mostly with Exim rules and generating these lists in some unusual ways. But if this were done right it would make SA a lot faster and more accurate. Here's a link to and overview of my lists: http://wiki.ctyme.com/index.php/Spam_DNS_Lists But - ultimately my lists would be replaced by a more massive public list that would be done better than what I started. I'd like a plugin written or someone who understands the rules better than me to build on these ideas. What I have is my hostkarma list which returns different code depending on the reputation of the sending host. Before you look at this as just another blacklist - the real power is in the white and yellow lists. First - an overview. My list returns these codes: * 127.0.0.1 - whilelist - trusted nonspam * 127.0.0.2 - blacklist - block spam * 127.0.0.3 - yellowlist - mix of spam and nonspam * 127.0.0.4 - brownlist - all spam - but not yet enough to blacklist The idea here is that white short circuit to HAM and could be autolearned. Yellow is for mixed source hosts like Hotmail, Yahoo, etc that should never be blacklisted. This is important because if a host is yellow listed then you skip all blacklist tests and move on to other tests. This will allow you to avoid testing to see if Yahoo hosts are blacklisted. Brown listing is a host not bad enough to be blacklisted but still worth a point ot so. My list has about 275k black, 300k brown, 20k yellow, and 6k white. So I have some useful data. Here's some rules to use it now but I'd like to see someone smarter than me improve these to do it right. header __RCVD_IN_JMFILTER eval:check_rbl('JMFILTER','hostkarma.junkemailfilter.com.') describe __RCVD_IN_JMFILTER Sender listed in JMFILTER tflags __RCVD_IN_JMFILTER net header RCVD_IN_JMFILTER_W eval:check_rbl_sub('JMFILTER', '127.0.0.1') describe RCVD_IN_JMFILTER_W Sender listed in JMFILTER-WHITE tflags RCVD_IN_JMFILTER_W net nice score RCVD_IN_JMFILTER_W -5 header RCVD_IN_JMFILTER_B eval:check_rbl_sub('JMFILTER', '127.0.0.2') describe RCVD_IN_JMFILTER_B Sender listed in JMFILTER-BLACK tflags RCVD_IN_JMFILTER_B net score RCVD_IN_JMFILTER_B 4.0 header RCVD_IN_JMFILTER_B eval:check_rbl_sub('JMFILTER', '127.0.0.4') describe RCVD_IN_JMFILTER_B Sender listed in JMFILTER-BROWN tflags RCVD_IN_JMFILTER_B net score RCVD_IN_JMFILTER_B 1.0 What it needs is if it's white then we short circuit to call it ham and skip other tests. The white list is very accurate and it's not hard to get a good whitelist. The yellow list is also very good. The idea here is to stop all other blacklist tests after a yellow list. I don't know how to do that in SA. Then - like the black lists - these lists can be enhanced by people sharper than me. And instead of me hosting it someone can do it right, or better than me. So - the point - this works for me - lets make it better. Who's interested?
Re: Blacklist problems!
Thanks ... I can certainly take care of the whitelist items. The country codes are all remarked out, as I used the the ok_languages as you indicated. How will changing the whitelist entries prevent my incoming mail as being blacklisted? Thanks again! Michael I would set the following whitelist_from_rcvd *.musiciansfriend.com musiciansfriend.com whitelist_from_rcvd *.apache.org apache.org LOOK HERE FOR MORE INFO ON THIS OPTION http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html blacklist_from [EMAIL PROTECTED] required_hits 8 rewrite_header Subject [SPAM] report_safe 1 use_bayes 1 bayes_auto_learn 0 skip_rbl_checks 0 use_razor2 1 use_pyzor 1 ok_languagesen # Blacklist for foreign countries we don't care about getting mail from # #blacklist_from *.ar #blacklist_from *.tr #blacklist_from *.cn #blacklist_from *.hr #blacklist_from *.ru #blacklist_from *.tw No need for these settings if you have the above "ok_languages en" -=Aubrey=- Michael Chapman wrote: OK ... after diving back into my spam to get responses to this message, I turned off AWL in v310.pre and removed all blacklist items from local.cf and user_prefs. Still no joy. Everything is still getting flagged as before! What is going on? Thanks for all of your help so far, gang! Michael Michael Chapman wrote: Hi there: This should be a fairly simple question for the experts out there ... everything I'm receiving is being blacklisted, and the reports indicate that all these messages are flagged as "USER_IN_BLACKLIST." Where? I don't have a user_prefs, and my global is really simple: # These values can be overridden by editing ~/.spamassassin/user_prefs. cf # (see spamassassin(1) for details) # These should be safe assumptions and allow for simple visual sifting # without risking lost emails. whitelist_from *.musiciansfriend.com whitelist_from *.apache.org blacklist_from [EMAIL PROTECTED] required_hits 8 #report_safe 0 rewrite_header Subject [SPAM] # SpamAssassin config file for version 3.x # # NOTE: NOT COMPATIBLE WITH VERSIONS 2.5 or 2.6 # # See http://www.yrex.com/spam/spamconfig25.php for earlier versions # # Generated by http://www.yrex.com/spam/spamconfig.php (version 1.50) # # # How many hits before a message is considered spam. # required_score 5.0 # # # Encapsulate spam in an attachment (0=no, 1=yes, 2=safe) report_safe 1 # # # Enable the Bayes system use_bayes 1 # # # Enable Bayes auto-learning bayes_auto_learn 1 # # # Enable or disable network checks # skip_rbl_checks 0 use_razor2 1 #use_dcc 1 use_pyzor 1 # # # Mail using languages used in these country codes will not be marked # # as being possibly spam in a foreign language. #ok_languagesen # # # Mail using locales used in these country codes will not be marked # # as being possibly spam in a foreign language. ok_locales en # Blacklist for foreign countries we don't care about getting mail from # blacklist_from *.ar blacklist_from *.tr blacklist_from *.cn blacklist_from *.hr blacklist_from *.ru blacklist_from *.tw # # This all worked just fine when I was using RH9/SA 2.6. This is on Fedora 7 with SA 3.2.2. I am using procmail to process incoming mail, and using ClamAV for virus stuff. Is there a way I can reset the blacklist? This is driving me nuts. I don't want to use all_spam_to just to get my mail! Help! Please? Thanks! Michael
Re: Blacklist problems!
Michael Chapman wrote: Hi there: This should be a fairly simple question for the experts out there ... everything I'm receiving is being blacklisted, and the reports indicate that all these messages are flagged as "USER_IN_BLACKLIST." Where? I don't have a user_prefs, and my global is really simple: # These values can be overridden by editing ~/.spamassassin/user_prefs.cf # (see spamassassin(1) for details) # These should be safe assumptions and allow for simple visual sifting # without risking lost emails. whitelist_from *.musiciansfriend.com whitelist_from *.apache.org blacklist_from [EMAIL PROTECTED] required_hits 8 #report_safe 0 rewrite_header Subject [SPAM] # SpamAssassin config file for version 3.x # # NOTE: NOT COMPATIBLE WITH VERSIONS 2.5 or 2.6 # # See http://www.yrex.com/spam/spamconfig25.php for earlier versions # # Generated by http://www.yrex.com/spam/spamconfig.php (version 1.50) # # # How many hits before a message is considered spam. # required_score 5.0 # # # Encapsulate spam in an attachment (0=no, 1=yes, 2=safe) report_safe 1 # # # Enable the Bayes system use_bayes 1 # # # Enable Bayes auto-learning bayes_auto_learn 1 # # # Enable or disable network checks # skip_rbl_checks 0 use_razor2 1 #use_dcc 1 use_pyzor 1 # # # Mail using languages used in these country codes will not be marked # # as being possibly spam in a foreign language. #ok_languagesen # # # Mail using locales used in these country codes will not be marked # # as being possibly spam in a foreign language. ok_locales en # Blacklist for foreign countries we don't care about getting mail from # blacklist_from *.ar blacklist_from *.tr blacklist_from *.cn blacklist_from *.hr blacklist_from *.ru blacklist_from *.tw # # This all worked just fine when I was using RH9/SA 2.6. This is on Fedora 7 with SA 3.2.2. I am using procmail to process incoming mail, and using ClamAV for virus stuff. Is there a way I can reset the blacklist? This is driving me nuts. I don't want to use all_spam_to just to get my mail! Help! Please? Thanks! Michael I would set the following whitelist_from_rcvd *.musiciansfriend.com musiciansfriend.com whitelist_from_rcvd *.apache.org apache.org LOOK HERE FOR MORE INFO ON THIS OPTION http://spamassassin.apache.org/full/3.1.x/doc/Mail_SpamAssassin_Conf.html blacklist_from [EMAIL PROTECTED] required_hits 8 rewrite_header Subject [SPAM] report_safe 1 use_bayes 1 bayes_auto_learn 0 skip_rbl_checks 0 use_razor2 1 use_pyzor 1 ok_languagesen # Blacklist for foreign countries we don't care about getting mail from # #blacklist_from *.ar #blacklist_from *.tr #blacklist_from *.cn #blacklist_from *.hr #blacklist_from *.ru #blacklist_from *.tw No need for these settings if you have the above "ok_languages en" -=Aubrey=-
Re: Blacklist problems!
OK ... after diving back into my spam to get responses to this message, I turned off AWL in v310.pre and removed all blacklist items from local.cf and user_prefs. Still no joy. Everything is still getting flagged as before! What is going on? Thanks for all of your help so far, gang! Michael Michael Chapman wrote: Hi there: This should be a fairly simple question for the experts out there ... everything I'm receiving is being blacklisted, and the reports indicate that all these messages are flagged as "USER_IN_BLACKLIST." Where? I don't have a user_prefs, and my global is really simple: # These values can be overridden by editing ~/.spamassassin/user_prefs.cf # (see spamassassin(1) for details) # These should be safe assumptions and allow for simple visual sifting # without risking lost emails. whitelist_from *.musiciansfriend.com whitelist_from *.apache.org blacklist_from [EMAIL PROTECTED] required_hits 8 #report_safe 0 rewrite_header Subject [SPAM] # SpamAssassin config file for version 3.x # # NOTE: NOT COMPATIBLE WITH VERSIONS 2.5 or 2.6 # # See http://www.yrex.com/spam/spamconfig25.php for earlier versions # # Generated by http://www.yrex.com/spam/spamconfig.php (version 1.50) # # # How many hits before a message is considered spam. # required_score 5.0 # # # Encapsulate spam in an attachment (0=no, 1=yes, 2=safe) report_safe 1 # # # Enable the Bayes system use_bayes 1 # # # Enable Bayes auto-learning bayes_auto_learn 1 # # # Enable or disable network checks # skip_rbl_checks 0 use_razor2 1 #use_dcc 1 use_pyzor 1 # # # Mail using languages used in these country codes will not be marked # # as being possibly spam in a foreign language. #ok_languagesen # # # Mail using locales used in these country codes will not be marked # # as being possibly spam in a foreign language. ok_locales en # Blacklist for foreign countries we don't care about getting mail from # blacklist_from *.ar blacklist_from *.tr blacklist_from *.cn blacklist_from *.hr blacklist_from *.ru blacklist_from *.tw # # This all worked just fine when I was using RH9/SA 2.6. This is on Fedora 7 with SA 3.2.2. I am using procmail to process incoming mail, and using ClamAV for virus stuff. Is there a way I can reset the blacklist? This is driving me nuts. I don't want to use all_spam_to just to get my mail! Help! Please? Thanks! Michael
RE: BOTNET Exceptions for Today
At 13:08 21-08-2007, Bret Miller wrote: When I see on the list that many people run botnet with ZERO false positives, I have to ask myself, "how? And why is our setup here so different?" Perhaps they already block email with invalid rdns at the MTA Your setup is different as your users communicate with people from different countries and from various groups. Rules such as botnet cannot have a zero false positive in such as case. level, so none of this ever gets looked at. Perhaps their users just give up when they don't get email that they expect and use a free email account instead for that email. I don't know, but botnet hits a significant amount Yes, that's what some people do. I just don't have the option of telling our president's assistant that "we can't accept email from your husband because the IT department at the City of Pasadena won't fix their DNS issues for their email server." That's just Why not? :-) not acceptable in a corporate environment, even if she had a clue what the statement meant besides that I was refusing to do what she wants. The Agreed. majority of these badly configured servers won't ever get fixed unless someone that matters to them stands up and tells them they need to fix it. I do that when I can, but most of the time I just don't matter enough to get it done. Even then, it can prove difficult to get them fixed. The server.nch.com.au case is an interesting one. Technically, there isn't anything wrong with that setup. But I digress as we are talking about antispam here. Regards, -sm
Re: BOTNET Exceptions for Today
Andy Sutton wrote: On Tue, 2007-08-21 at 13:08 -0700, Bret Miller wrote: When I see on the list that many people run botnet with ZERO false positives, I have to ask myself, "how? Anyone who claims that isn't really looking at the email they are blocking, or don't believe borked DNS qualify as a FP. a) I don't block based on botnet, I mark as spam based on botnet. b) Botnet gets 0% false positives at one of my services (not just "borked DNS == bad", as you're suggesting, but actual "everything that triggered botnet was actually spam"). And, yes, I actually check. You might want to have an actual basis for your claims before you go off making poorly informed generalizations about other people's mail environments.
Re: Question - How many of you run ALL your email through SA?
Jo Rhett wrote: On Aug 21, 2007, at 11:17 AM, Duane Hill wrote: On Tue, 21 Aug 2007 at 11:03 -0700, [EMAIL PROTECTED] confabulated: It seems to mostly help when it drops the message into a file for clamav to scan. Is that using the ClamAV plugin or outside of SA completely? I am currently using the ClamAV plugin with the SaneSecurity additions. I'm using Amavisd, which invokes clamav itself before calling SA. So your environment may be entirely different. Examine the process and see if/when/how it uses temporary files. It always seems to be faster using a ramdisk for the temp files. I've been using Clam but I've heard of Amavisd - do I want it? What all does it do?
Re: BOTNET Exceptions for Today
Bret Miller wrote on Tue, 21 Aug 2007 12:15:27 -0700: > Enews.webbuyersguide.com (part of Ziff-Davis Media), sent from IP > 204.92.135.90, resolves to smtp22.enews.webbuyersguide.com #not sure why > this got a BOTNET=1 flag, but it did. Also find hosts 92, 75, 70, 74, 93, > 86, and others. All similarly resolve to smtpnn.enews.webbuyersguide.com. But smtp22.enews.webbuyersguide.com doesn't resolve, *very* stupid. > Wordreference.com (WordReference Forums), sent from IP 75.126.51.99, > resolves to www2mail.wordreference.com, again no idea why it gets flagged. dns is ok, might be hitting some clientword, didn't check. > AltoEdge Hardware, sent from IP 69.94.122.246, resolves to > server.nch.com.au, but server.nch.com.au not to 69.94.122.246, but to 69.94.122.247. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: Blacklist problems!
Michael Chapman wrote on Tue, 21 Aug 2007 12:10:08 -0700: > Is there a way I can reset the blacklist? There is no "auto blacklist". It's your blacklist entries. For a quick diagnosis disable all of them and check if it persists. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
RE: BOTNET Exceptions for Today
On Tue, 2007-08-21 at 13:08 -0700, Bret Miller wrote: > When I see on the list that many people run botnet with ZERO false > positives, I have to ask myself, "how? Anyone who claims that isn't really looking at the email they are blocking, or don't believe borked DNS qualify as a FP. > "we can't accept email from your husband because the IT department at > the City of Pasadena won't fix their DNS issues for their email > server." There are broken email/dns/whatever servers all over the place. It's one of the reasons I don't use botnet, since I lean more towards pass rather than block. If I did, I wouldn't use the default scores. They are very aggressive and wouldn't work well in my environment. -- - Andy The test of courage comes when we are in the minority. The test of tolerance comes when we are in the majority. - Ralph W. Sockman
RE: BOTNET Exceptions for Today
> At 12:36 21-08-2007, John Rudd wrote: > ># nslookup www2mail.wordreference.com > > > >Non-authoritative answer: > >Name: www2mail.wordreference.com > >Address: 75.126.29.11 > > > >baddns. > > There's an authoritative answer for www2mail.wordreference.com. > > ># nslookup server.nch.com.au > > > >Non-authoritative answer: > >Name: server.nch.com.au > >Address: 69.94.122.247 > > And one for server.nch.com.au as well. The point isn't authoritative or not. The point is that the email was sent (in the last case) from 69.94.122.246, which resolves back to server.nch.com.au, which resolves to 69.94.122.247, a DIFFERENT IP address. The sending IP need RDNS and that RDNS name needs to resolve back to the same IP, otherwise, it's broken. Bret smime.p7s Description: S/MIME cryptographic signature
Re: BOTNET Exceptions for Today
At 12:36 21-08-2007, John Rudd wrote: # nslookup www2mail.wordreference.com Non-authoritative answer: Name: www2mail.wordreference.com Address: 75.126.29.11 baddns. There's an authoritative answer for www2mail.wordreference.com. # nslookup server.nch.com.au Non-authoritative answer: Name: server.nch.com.au Address: 69.94.122.247 And one for server.nch.com.au as well. Regards, -sm
RE: BOTNET Exceptions for Today
> Bret Miller wrote: > > > Enews.webbuyersguide.com (part of Ziff-Davis Media), sent from IP > > 204.92.135.90, resolves to smtp22.enews.webbuyersguide.com > #not sure why > > this got a BOTNET=1 flag, but it did. Also find hosts 92, > 75, 70, 74, 93, > > 86, and others. All similarly resolve to > smtpnn.enews.webbuyersguide.com. > > baddns. baddns means lack of full circle DNS. In this case, > the name > returned by the PTR record (smtp22.enews.webbuyersguide.com) does not > resolve at all ... let alone not resolving back to the > sending IP address. > > > > meridiencancun.com.mx, sent from IP , resolves to > > customer-148-233-9-212.uninet-ide.com.mx #more stupidity > > > > Wordreference.com (WordReference Forums), sent from IP 75.126.51.99, > > resolves to www2mail.wordreference.com, again no idea why > it gets flagged. > > # nslookup www2mail.wordreference.com > > Non-authoritative answer: > Name: www2mail.wordreference.com > Address: 75.126.29.11 > > baddns. > > > > AltoEdge Hardware, sent from IP 69.94.122.246, resolves to > > server.nch.com.au, another no idea why BOTNET=1, but it > does. Just out of > > curiosity, I ran this through again with debug enabled so I > could get more > > details. Here's what it says: > > > > [2472] dbg: Botnet: starting > > [2472] dbg: Botnet: no trusted relays > > [2472] dbg: Botnet: get_relay didn't find RDNS > > [2472] dbg: Botnet: IP is '69.94.122.246' > > [2472] dbg: Botnet: RDNS is 'server.nch.com.au' > > [2472] dbg: Botnet: HELO is 'server.nch.com.au' > > [2472] dbg: Botnet: sender '[EMAIL PROTECTED]' > > [2472] dbg: Botnet: hit (baddns) > > [2472] dbg: rules: ran eval rule BOTNET ==> got hit (1) > > > > I'm not sure what it means. The IP resolves to > server.nch.com.au and it > > resolves to the IP. Not sure what is "bad" about dns here. > I'm also not sure > > what headers botnet looks at. The top Received header is > ours and the others > > are all internal to the sender. > > # nslookup server.nch.com.au > > Non-authoritative answer: > Name: server.nch.com.au > Address: 69.94.122.247 > > So, server.nch.com.au's name does not resolve back to the sending IP > address, thus baddns. OK... I guess I didn't check closely enough. But the point is still that users expect these emails and complain if they don't receive them. Today's list were mostly just top offenders, and it's going to take me time to make exceptions for all the servers we receive email from that are badly configured dns-wise. Maybe these aren't false positives because botnet is identifying them for what they are-- badly configured. But to give a rule like botnet a default score that's high enough to consider the messages spam all on its own causes users to think we have a bad spam filtering program. When I see on the list that many people run botnet with ZERO false positives, I have to ask myself, "how? And why is our setup here so different?" Perhaps they already block email with invalid rdns at the MTA level, so none of this ever gets looked at. Perhaps their users just give up when they don't get email that they expect and use a free email account instead for that email. I don't know, but botnet hits a significant amount of legitimate email here, regardless of how badly configured the sending servers are. I just don't have the option of telling our president's assistant that "we can't accept email from your husband because the IT department at the City of Pasadena won't fix their DNS issues for their email server." That's just not acceptable in a corporate environment, even if she had a clue what the statement meant besides that I was refusing to do what she wants. The majority of these badly configured servers won't ever get fixed unless someone that matters to them stands up and tells them they need to fix it. I do that when I can, but most of the time I just don't matter enough to get it done. Bret smime.p7s Description: S/MIME cryptographic signature
Re: BOTNET Exceptions for Today
Bret Miller wrote: Enews.webbuyersguide.com (part of Ziff-Davis Media), sent from IP 204.92.135.90, resolves to smtp22.enews.webbuyersguide.com #not sure why this got a BOTNET=1 flag, but it did. Also find hosts 92, 75, 70, 74, 93, 86, and others. All similarly resolve to smtpnn.enews.webbuyersguide.com. baddns. baddns means lack of full circle DNS. In this case, the name returned by the PTR record (smtp22.enews.webbuyersguide.com) does not resolve at all ... let alone not resolving back to the sending IP address. meridiencancun.com.mx, sent from IP , resolves to customer-148-233-9-212.uninet-ide.com.mx #more stupidity Wordreference.com (WordReference Forums), sent from IP 75.126.51.99, resolves to www2mail.wordreference.com, again no idea why it gets flagged. # nslookup www2mail.wordreference.com Non-authoritative answer: Name: www2mail.wordreference.com Address: 75.126.29.11 baddns. AltoEdge Hardware, sent from IP 69.94.122.246, resolves to server.nch.com.au, another no idea why BOTNET=1, but it does. Just out of curiosity, I ran this through again with debug enabled so I could get more details. Here's what it says: [2472] dbg: Botnet: starting [2472] dbg: Botnet: no trusted relays [2472] dbg: Botnet: get_relay didn't find RDNS [2472] dbg: Botnet: IP is '69.94.122.246' [2472] dbg: Botnet: RDNS is 'server.nch.com.au' [2472] dbg: Botnet: HELO is 'server.nch.com.au' [2472] dbg: Botnet: sender '[EMAIL PROTECTED]' [2472] dbg: Botnet: hit (baddns) [2472] dbg: rules: ran eval rule BOTNET ==> got hit (1) I'm not sure what it means. The IP resolves to server.nch.com.au and it resolves to the IP. Not sure what is "bad" about dns here. I'm also not sure what headers botnet looks at. The top Received header is ours and the others are all internal to the sender. # nslookup server.nch.com.au Non-authoritative answer: Name: server.nch.com.au Address: 69.94.122.247 So, server.nch.com.au's name does not resolve back to the sending IP address, thus baddns.
BOTNET Exceptions for Today
I keep saying that I have false positives with botnet, but haven't substantiated that to date. So, today I'm spending a little time making exceptions since I would like this to work. Here are todays: Americanpayroll.org, sent from IP 67.106.104.135, resolves to 67.106.106.135.ptr.us.xo.net #OK, that's just stupid. Enews.webbuyersguide.com (part of Ziff-Davis Media), sent from IP 204.92.135.90, resolves to smtp22.enews.webbuyersguide.com #not sure why this got a BOTNET=1 flag, but it did. Also find hosts 92, 75, 70, 74, 93, 86, and others. All similarly resolve to smtpnn.enews.webbuyersguide.com. meridiencancun.com.mx, sent from IP , resolves to customer-148-233-9-212.uninet-ide.com.mx #more stupidity Wordreference.com (WordReference Forums), sent from IP 75.126.51.99, resolves to www2mail.wordreference.com, again no idea why it gets flagged. Cityofpasadena.net (City of Pasadena, California), sent from IP 204.89.9.11, resolves to 204-89-9-11-cityofpasadena.net, ns3.pasadenapubliclibrary.com, and ns3.cityofpasadena.net. What's with all this putting of IP addresses in the host name... AltoEdge Hardware, sent from IP 69.94.122.246, resolves to server.nch.com.au, another no idea why BOTNET=1, but it does. Just out of curiosity, I ran this through again with debug enabled so I could get more details. Here's what it says: [2472] dbg: Botnet: starting [2472] dbg: Botnet: no trusted relays [2472] dbg: Botnet: get_relay didn't find RDNS [2472] dbg: Botnet: IP is '69.94.122.246' [2472] dbg: Botnet: RDNS is 'server.nch.com.au' [2472] dbg: Botnet: HELO is 'server.nch.com.au' [2472] dbg: Botnet: sender '[EMAIL PROTECTED]' [2472] dbg: Botnet: hit (baddns) [2472] dbg: rules: ran eval rule BOTNET ==> got hit (1) I'm not sure what it means. The IP resolves to server.nch.com.au and it resolves to the IP. Not sure what is "bad" about dns here. I'm also not sure what headers botnet looks at. The top Received header is ours and the others are all internal to the sender. Return-Path: <[EMAIL PROTECTED]> Received: from [69.94.122.246] (HELO server.nch.com.au) by mail.wcg.org (CommuniGate Pro SMTP 5.1.11) with ESMTPS id 22264274 for [EMAIL PROTECTED]; Tue, 21 Aug 2007 09:58:14 -0700 Received: from server.nch.com.au (localhost.localdomain [127.0.0.1]) by server.nch.com.au (8.12.11/8.12.11) with ESMTP id l7LHRYOp002918 for <[EMAIL PROTECTED]>; Tue, 21 Aug 2007 13:27:34 -0400 Received: (from [EMAIL PROTECTED]) by server.nch.com.au (8.12.11/8.12.11/Submit) id l7LHRXY5001737; Tue, 21 Aug 2007 13:27:33 -0400 Date: Tue, 21 Aug 2007 13:27:33 -0400 Message-Id: <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] From: "AltoEdge Hardware Orders" <[EMAIL PROTECTED]> Subject: Online Hardware Order (ref: HW13315) Enough time spent today... More at a later date. I've had actual complaints about 2 of the exceptions listed above, and as you might surmise from above, I only run with the score set to 1. I'd like it higher, but there are tons more of these that I have to make exceptions for before I can do that. It's a good idea-- too bad there isn't a way to make it somewhat more accurate. Bret smime.p7s Description: S/MIME cryptographic signature
Blacklist problems!
Hi there: This should be a fairly simple question for the experts out there ... everything I'm receiving is being blacklisted, and the reports indicate that all these messages are flagged as "USER_IN_BLACKLIST." Where? I don't have a user_prefs, and my global is really simple: # These values can be overridden by editing ~/.spamassassin/user_prefs.cf # (see spamassassin(1) for details) # These should be safe assumptions and allow for simple visual sifting # without risking lost emails. whitelist_from *.musiciansfriend.com whitelist_from *.apache.org blacklist_from [EMAIL PROTECTED] required_hits 8 #report_safe 0 rewrite_header Subject [SPAM] # SpamAssassin config file for version 3.x # # NOTE: NOT COMPATIBLE WITH VERSIONS 2.5 or 2.6 # # See http://www.yrex.com/spam/spamconfig25.php for earlier versions # # Generated by http://www.yrex.com/spam/spamconfig.php (version 1.50) # # # How many hits before a message is considered spam. # required_score 5.0 # # # Encapsulate spam in an attachment (0=no, 1=yes, 2=safe) report_safe 1 # # # Enable the Bayes system use_bayes 1 # # # Enable Bayes auto-learning bayes_auto_learn 1 # # # Enable or disable network checks # skip_rbl_checks 0 use_razor2 1 #use_dcc 1 use_pyzor 1 # # # Mail using languages used in these country codes will not be marked # # as being possibly spam in a foreign language. #ok_languagesen # # # Mail using locales used in these country codes will not be marked # # as being possibly spam in a foreign language. ok_locales en # Blacklist for foreign countries we don't care about getting mail from # blacklist_from *.ar blacklist_from *.tr blacklist_from *.cn blacklist_from *.hr blacklist_from *.ru blacklist_from *.tw # # This all worked just fine when I was using RH9/SA 2.6. This is on Fedora 7 with SA 3.2.2. I am using procmail to process incoming mail, and using ClamAV for virus stuff. Is there a way I can reset the blacklist? This is driving me nuts. I don't want to use all_spam_to just to get my mail! Help! Please? Thanks! Michael
Re: Question - How many of you run ALL your email through SA?
On Tue, 21 Aug 2007 at 11:31 -0700, [EMAIL PROTECTED] confabulated: On Aug 21, 2007, at 11:17 AM, Duane Hill wrote: On Tue, 21 Aug 2007 at 11:03 -0700, [EMAIL PROTECTED] confabulated: It seems to mostly help when it drops the message into a file for clamav to scan. Is that using the ClamAV plugin or outside of SA completely? I am currently using the ClamAV plugin with the SaneSecurity additions. I'm using Amavisd, which invokes clamav itself before calling SA. So your environment may be entirely different. Examine the process and see if/when/how it uses temporary files. It always seems to be faster using a ramdisk for the temp files. Ok. I just examined the clamav.pm plugin and it does appear to pass the message text directly to the ClamAV daemon through the use of the File::Scan::ClamAV perl module. Therefore, it doesn't sound like a temp file is created. --- _|_ (_| |
Re: Question - How many of you run ALL your email through SA?
On Aug 21, 2007, at 11:17 AM, Duane Hill wrote: On Tue, 21 Aug 2007 at 11:03 -0700, [EMAIL PROTECTED] confabulated: It seems to mostly help when it drops the message into a file for clamav to scan. Is that using the ClamAV plugin or outside of SA completely? I am currently using the ClamAV plugin with the SaneSecurity additions. I'm using Amavisd, which invokes clamav itself before calling SA. So your environment may be entirely different. Examine the process and see if/when/how it uses temporary files. It always seems to be faster using a ramdisk for the temp files. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Question - How many of you run ALL your email through SA?
On Tue, 21 Aug 2007 at 11:03 -0700, [EMAIL PROTECTED] confabulated: On Aug 21, 2007, at 8:28 AM, Duane Hill wrote: I have seen the suggestion recently in this thread to run SA from a ram drive. I am going to experiment with that over the course of this next weekend. I'm not quiet sure how much increase in speed I will get. All of our userprefs, AWL and bayes are stored in MySQL tables. It seems to mostly help when it drops the message into a file for clamav to scan. Is that using the ClamAV plugin or outside of SA completely? I am currently using the ClamAV plugin with the SaneSecurity additions. --- _|_ (_| |
Re: Scanning mailer-daemon bounces generated by localhost
Really the only way to solve this properly is to stop providing relay service. Relay service is a non-op in the current spam war. If you do what you are trying to do here, then legitimate bounce messages will also be dropped and thus you'll be decreasing the quality of their service. (and if you don't, you'll be creating backscatter) It's a no-win scenario. If they do their own spam scanning, they should accept the mail directly. On Aug 21, 2007, at 8:49 AM, sacoo sacoo wrote: It must been asked before, but I couldn't find any suitable, will be glad if you point me somewhere... In our company we have the (mailer-exchange -> spam-scanner -> customers with their own mail servers) topology. We relay mail to them but some of them don't have the spam service with us and prefer to have it on their side, then we are all the time getting the spam we forward rejected, our spam server generates a bounce (From: [EMAIL PROTECTED] (Mail Delivery System)). This bounce keeps bouncing there until expires increasing the load of our server. We would like to know if there is any way to force the filtering the mails from [EMAIL PROTECTED] As far, the only guess i found was to modify the master.cf somehow from this: smtp inet n - - - - smtpd -o content_filter=smtp:[127.0.0.1]:10024 localhost:10025 inet n - n - - smtpd -o content_filter= To something like this smtp inet n - - - - smtpd -o content_filter=smtp:[127.0.0.1]:10024 localhost:25 inet n - - - - smtpd -o content_filter=smtp:[127.0.0.1]:10024 localhost:10025 inet n - - - - smtpd -o content_filter=smtp:[127.0.0.1]:10024 Filtering the localhost generated mails. But I donno if it's the right approach. Any help appreciated Cheers -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Question - How many of you run ALL your email through SA?
On Aug 21, 2007, at 8:28 AM, Duane Hill wrote: I have seen the suggestion recently in this thread to run SA from a ram drive. I am going to experiment with that over the course of this next weekend. I'm not quiet sure how much increase in speed I will get. All of our userprefs, AWL and bayes are stored in MySQL tables. It seems to mostly help when it drops the message into a file for clamav to scan. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Scanning mailer-daemon bounces generated by localhost
> Hello, > > It must been asked before, but I couldn't find any > suitable, will be glad if you point me somewhere... > In our company we have the (mailer-exchange -> > spam-scanner -> customers with their own mail servers) > topology. > We relay mail to them but some of them don't have the > spam service with us and prefer to have it on their side, > then we are all the time getting the spam we forward > rejected, our spam server generates a bounce (From: > [EMAIL PROTECTED] (Mail Delivery System)). > This bounce keeps bouncing there until expires increasing > the load of our server. > We would like to know if there is any way to force the > filtering the mails from [EMAIL PROTECTED] > > As far, the only guess i found was to modify the > master.cf somehow from this: > smtp inet n - - - - > smtpd -o content_filter=smtp:[ 127.0.0.1]:10024 > localhost:10025 inet n - n - - > smtpd -o content_filter= > > To something like this > smtp inet n - - - - > smtpd -o content_filter=smtp:[ 127.0.0.1]:10024 > localhost:25 inet n - - - - > smtpd -o content_filter=smtp:[127.0.0.1]:10024 > localhost:10025 inet n - - - - > smtpd -o content_filter=smtp:[127.0.0.1]:10024 > > Filtering the localhost generated mails. > But I donno if it's the right approach. > > Any help appreciated > > Cheers This seems to be a Postfix related question, and has nothing to do with SpamAssassin. Maybe Postfix has a forum or mailing list?
Scanning mailer-daemon bounces generated by localhost
Hello, It must been asked before, but I couldn't find any suitable, will be glad if you point me somewhere... In our company we have the (mailer-exchange -> spam-scanner -> customers with their own mail servers) topology. We relay mail to them but some of them don't have the spam service with us and prefer to have it on their side, then we are all the time getting the spam we forward rejected, our spam server generates a bounce (From: [EMAIL PROTECTED] (Mail Delivery System)). This bounce keeps bouncing there until expires increasing the load of our server. We would like to know if there is any way to force the filtering the mails from [EMAIL PROTECTED] As far, the only guess i found was to modify the master.cf somehow from this: smtp inet n - - - - smtpd -o content_filter=smtp:[127.0.0.1]:10024 localhost:10025 inet n - n - - smtpd -o content_filter= To something like this smtp inet n - - - - smtpd -o content_filter=smtp:[127.0.0.1]:10024 localhost:25 inet n - - - - smtpd -o content_filter=smtp:[127.0.0.1]:10024 localhost:10025 inet n - - - - smtpd -o content_filter=smtp:[127.0.0.1]:10024 Filtering the localhost generated mails. But I donno if it's the right approach. Any help appreciated Cheers
RE: Bouncing emails from certain countries
On Tue, 21 Aug 2007, Skip Brott wrote: > Out of curiosity (as this is a feature that I would like to have > as well for a couple of speficic countries), is there a reason > that a couple of SA plugins cant be used: > > http://wiki.apache.org/spamassassin/URICountryPlugin > Or > http://wiki.apache.org/spamassassin/RelayCountryPlugin > > I am not certain which of these would be the correct one to implement. Those are probably the "correct" approach these days; I just haven't stirred my stumps to change the geo RBLs that I've had in there forever. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...much of our country's counterterrorism security spending is not designed to protect us from the terrorists, but instead to protect our public officials from criticism when another attack occurs. -- Bruce Schneier --- 4 days until The 1928th anniversary of the destruction of Pompeii
RE: Bouncing emails from certain countries
On Tue, 21 Aug 2007, Chris wrote: > Hi John, How do I find that file please ? I look at my > SA in Cpanel and can't see where to input the text > below? > > describe BL_COUNTRY_CN_1 Mail client in China > header BL_COUNTRY_CN_1 eval:check_rbl('china', > 'cn.countries.nerd.dk') > scoreBL_COUNTRY_CN_1 0.5 > tflags BL_COUNTRY_CN_1 net > > Any help appreciated. I'm not familiar with CPanel, but if the server is hosted and you don't have root access, you are probably out of luck. I'm only really familiar with site-wide configs; perhaps someone else on the list can provide suggestions for a CPanel-controlled user customized configuration. Unfortunately, I don't think the per-user capabilities of SA include adding new private rules. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- ...much of our country's counterterrorism security spending is not designed to protect us from the terrorists, but instead to protect our public officials from criticism when another attack occurs. -- Bruce Schneier --- 4 days until The 1928th anniversary of the destruction of Pompeii
Re: Question - How many of you run ALL your email through SA?
On Tue, 21 Aug 2007 at 09:33 -0500, [EMAIL PROTECTED] confabulated: You're doing a LOT better than I am with it. Makes me wonder if I have something set up wrong. My main SA server has a fast dual core Athlon and 8 gigs of ram and it can get bogged down rather quickly. I wonder if I'm doing something wrong Are you running 64bit OS? If so how stable are things? I thought about it to get by the 4Gbyte RAM limit but I chickened out since Directadmin lists 64bit support as beta. Here we are running the amd64 FreeBSD v5.5 on a Dell PowerEdge 6850. It is configured with 4x3ghz dual core zeon processors and 12 gig of ram. I have increased the maximum data segment for the OS to 2 gig. It was defaulted at 512 meg. I have set SA to use a max of 40 spamd children and keeping 20 spare laying around. Each child running takes up approximately 120 meg. The server currently handles roughly 3.5 million messages every 24 hours. I have seen the suggestion recently in this thread to run SA from a ram drive. I am going to experiment with that over the course of this next weekend. I'm not quiet sure how much increase in speed I will get. All of our userprefs, AWL and bayes are stored in MySQL tables. --- _|_ (_| |
spamd fails to restart on SIGHUP?
I have seen this once or twice, but still very rarely - spamd will fail to restart after receiving a SIGHUP. It stops, but does not restart. There's nothing in the log to indicate why. Has anyone seen the same? /Per Jessen, Zürich
Re: PDFInfo version 0.8?
On 8/20/07, Robert Fitzpatrick <[EMAIL PROTECTED]> wrote: > The plugins page at SARE says this is 0.8, but is it? The pm file looks > fine. > > http://www.rulesemporium.com/plugins/pdfinfo.cf > You probably want to be looking at: http://www.rulesemporium.com/plugins/PDFInfo.pm not the .cf file. It shows that it is version 0.8. Dave
Re: Question - How many of you run ALL your email through SA?
> You're doing a LOT better than I am with it. Makes me wonder if I have > something set up wrong. My main SA server has a fast dual core Athlon > and 8 gigs of ram and it can get bogged down rather quickly. I wonder if > I'm doing something wrong Are you running 64bit OS? If so how stable are things? I thought about it to get by the 4Gbyte RAM limit but I chickened out since Directadmin lists 64bit support as beta. I have a Directadmin server which is basically Apache, Exim, Dovecot with a nice GUI. I added Spamassassin which now filters about 2000 email accounts. Its recently upgraded to a dual core AMD CPU with 4Gbyte of DDR2 and SATA2 drive. Handles things much better then the old Socket A 2800+ with 2Gbyte of RAM and PATA drive. I do not use any blacklists at MTA time except sbl.spamhaus.org. When I ran others I had to many custommers complain about blocking there email. This server works in an ISP setting so must deal with 1500+ unique custommers who have differing ideas on how there email should be filtered. I just add headers and knock priority on hits to low so they can filter easilly with OE or there email client of choice. Matt
Re: Bouncing emails from certain countries
On Mon, 2007-08-20 at 10:13 -0700, John D. Hardin wrote: > That's kind of an extreme solution, and generally considered bad > practice. Yup - Be prepared for false positive hits if you use this method. I rented a server that just happened to be on a netblock in Germany. US websites/email though. When you rent a server, there is no telling where the physical box will reside unless it is part of the contract. -- - Andy The test of courage comes when we are in the minority. The test of tolerance comes when we are in the majority. - Ralph W. Sockman
RE: sa-update doesn't connect to updates.spamassassin.org
[EMAIL PROTECTED] wrote: > How does sa-update know if to update or not without going over the > network? > > channel: attempting channel updates.spamassassin.org > channel: update directory > /home/jidanni/var/spamassassin/3.002003/updates_spamassassin_org > channel: channel cf file > /home/jidanni/var/spamassassin/3.002003/updates_spamassassin_org.cf > channel: channel pre file > /home/jidanni/var/spamassassin/3.002003/updates_spamassassin_org.pre > channel: metadata version = 556472 > dns: 3.2.3.updates.spamassassin.org => 556472, parsed as 556472 > channel: current version is 556472, new version is 556472, skipping > channel > diag: updates complete, exiting with code 1 > > # host updates.spamassassin.org > updates.spamassassin.org A record currently not present 1) That's not the address that sa-update queries, and 2) It's not looking for an A record. Try this instead: # host -t txt 3.2.3.updates.spamassassin.org -- Bowie
RE: Bouncing emails from certain countries
Out of curiosity (as this is a feature that I would like to have as well for a couple of speficic countries), is there a reason that a couple of SA plugins cant be used: http://wiki.apache.org/spamassassin/URICountryPlugin Or http://wiki.apache.org/spamassassin/RelayCountryPlugin I am not certain which of these would be the correct one to implement. - Skip
Re: Adding new header to SA
Steve Freegard wrote: > > How about: > > Spam Actions = deliver header "X-TM-AS-Product-Ver: > SMEX-7.0.0.1557-5.0.1021-15334.002" > > That should do what you need. Interesting. I didn't know MailScanner could do that.. and I use it. Thanks for correcting me Steve, I'll try to file that factoid in my memory for future reference. :)
RE: Bouncing emails from certain countries
>-Original Message- >From: John D. Hardin [mailto:[EMAIL PROTECTED] >Sent: Tuesday, August 21, 2007 3:24 PM >To: Chris >Cc: users@spamassassin.apache.org >Subject: RE: Bouncing emails from certain countries > >On Tue, 21 Aug 2007, Chris wrote: > >> Hi John, Many thanks for the input on this - it's >> appreciated. >> >> John, whereabouts *precisely* do I input the text below >> please and is that all that needs to be done ? >> >> >describe BL_COUNTRY_CN_1 Mail client in China >> >header BL_COUNTRY_CN_1 eval:check_rbl('china', >'cn.countries.nerd.dk') >> >scoreBL_COUNTRY_CN_1 0.5 >> >tflags BL_COUNTRY_CN_1 net >> >> My scenario is that my website is on shared hosting >> servers, I don't have access to the root, but I do have >> access to Spamassasin. > >They are just more rules, nothing special about them. They goes into >your global SA local configuration file, typically >/etc/mail/spamassassin/local.cf or something similar. > >-- > John Hardin KA7OHZ http://www.impsec.org/~jhardin/ > [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] > key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 >-- - Hi John, How do I find that file please ? I look at my SA in Cpanel and can't see where to input the text below? describe BL_COUNTRY_CN_1 Mail client in China header BL_COUNTRY_CN_1 eval:check_rbl('china', 'cn.countries.nerd.dk') scoreBL_COUNTRY_CN_1 0.5 tflags BL_COUNTRY_CN_1 net Any help appreciated. Chris
Re: adjusting DNS_FROM_OPENWHOIS and DNS_FROM_RFC_DSN scores
On 19.08.07 12:18, Leon Kolchinsky wrote: > After an upgrade to SA3.2.2 I've noticed that I've started to get FP's from > e-mail accounts originating at walla.com > > I can see that it may be wise to adjust some scores to make these FP get thru > my system: > > score DNS_FROM_OPENWHOIS 0 > score DNS_FROM_RFC_DSN 0 > > Do you think this is reasonable enough and I can spare these 2 scores? imho both informations from those blacklist are very helpful since there are many problems with sites not accepting bounces (RFCI_DSN) and not having valid WHOIS informations (OPENWHOIS). I even refuse mail from sites at DSN list at SMTP level. I would better ask their admins (and force users to do the same) to fix their behaviour, or ask users to move to different provider (is it a provider?) > Below are some scores from those FP mails: > -- > X-Spam-Status: Yes, score=7.575 tag=-999 tag2=5 kill=5 tests=[BAYES_20=-0.74, > DNS_FROM_OPENWHOIS=1.13, DNS_FROM_RFC_DSN=1.495, HTML_MESSAGE=0.001, > HTML_MIME_NO_HTML_TAG=0.097, MIME_BASE64_TEXT=1.753, > MIME_HTML_ONLY=1.457, MPART_ALT_DIFF=0.739, RCVD_IN_NJABL_PROXY=1.643, > SUBJ_ALL_CAPS=0] > > X-Spam-Status: Yes, score=6.673 tag=-999 tag2=5 kill=5 tests=[BAYES_50=0.001, > DNS_FROM_OPENWHOIS=1.13, DNS_FROM_RFC_DSN=1.495, HTML_MESSAGE=0.001, > HTML_MIME_NO_HTML_TAG=0.097, MIME_BASE64_TEXT=1.753, > MIME_HTML_ONLY=1.457, MPART_ALT_DIFF=0.739, SUBJ_ALL_CAPS=0] > > X-Spam-Status: Yes, score=5.562 tag=-999 tag2=5 kill=5 tests=[BAYES_05=-1.11, > DNS_FROM_OPENWHOIS=1.13, DNS_FROM_RFC_DSN=1.495, HTML_MESSAGE=0.001, > HTML_MIME_NO_HTML_TAG=0.097, MIME_BASE64_TEXT=1.753, > MIME_HTML_ONLY=1.457, MPART_ALT_DIFF=0.739] > > X-Spam-Status: Yes, score=6.673 tag=-999 tag2=5 kill=5 tests=[BAYES_50=0.001, > DNS_FROM_OPENWHOIS=1.13, DNS_FROM_RFC_DSN=1.495, HTML_MESSAGE=0.001, > HTML_MIME_NO_HTML_TAG=0.097, MIME_BASE64_TEXT=1.753, > MIME_HTML_ONLY=1.457, MPART_ALT_DIFF=0.739, SUBJ_ALL_CAPS=0] > > X-Spam-Status: Yes, score=6.673 tag=-999 tag2=5 kill=5 tests=[BAYES_50=0.001, > DNS_FROM_OPENWHOIS=1.13, DNS_FROM_RFC_DSN=1.495, HTML_MESSAGE=0.001, > HTML_MIME_NO_HTML_TAG=0.097, MIME_BASE64_TEXT=1.753, > MIME_HTML_ONLY=1.457, MPART_ALT_DIFF=0.739, SUBJ_ALL_CAPS=0] > > X-Spam-Status: Yes, score=5.514 tag=-999 tag2=5 kill=5 tests=[BAYES_00=-2.599, > DNS_FROM_OPENWHOIS=1.13, DNS_FROM_RFC_DSN=1.495, FB_CIALIS_LEO3=1.441, > HTML_MESSAGE=0.001, HTML_MIME_NO_HTML_TAG=0.097, > MIME_BASE64_TEXT=1.753, MIME_HTML_ONLY=1.457, MPART_ALT_DIFF=0.739] > > X-Spam-Status: Yes, score=5.619 tag=-999 tag2=5 kill=5 tests=[BAYES_00=-2.599, > DNS_FROM_OPENWHOIS=1.13, DNS_FROM_RFC_DSN=1.495, > HTML_IMAGE_ONLY_20=1.546, HTML_MESSAGE=0.001, > HTML_MIME_NO_HTML_TAG=0.097, MIME_BASE64_TEXT=1.753, > MIME_HTML_ONLY=1.457, MPART_ALT_DIFF=0.739, SUBJ_ALL_CAPS=0] -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Linux IS user friendly, it's just selective who its friends are...
RE: Bouncing emails from certain countries
On Tue, 21 Aug 2007, Chris wrote: > Hi John, Many thanks for the input on this - it's > appreciated. > > John, whereabouts *precisely* do I input the text below > please and is that all that needs to be done ? > > >describe BL_COUNTRY_CN_1 Mail client in China > >header BL_COUNTRY_CN_1 eval:check_rbl('china', 'cn.countries.nerd.dk') > >scoreBL_COUNTRY_CN_1 0.5 > >tflags BL_COUNTRY_CN_1 net > > My scenario is that my website is on shared hosting > servers, I don't have access to the root, but I do have > access to Spamassasin. They are just more rules, nothing special about them. They goes into your global SA local configuration file, typically /etc/mail/spamassassin/local.cf or something similar. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- So Microsoft's invented the ASCII equivalent to ugly ink spots that appear on your letter when your pen is malfunctioning. -- Greg Andrews, about Microsoft's way to encode apostrophes --- 4 days until The 1928th anniversary of the destruction of Pompeii
Re: Conditionally bypassing RBL checks - how?
On 18.08.07 10:38, Marc Perkel wrote: > I have what I call a yellow list which is a list of IP addresses of > hosts like yahoo, google, hotmail, aol, etc that send a mix of spam and > nonspam. The idea being that if you are yellow listed then don't check > any other list because if it was listed it would be a false positive. > > So - the question - how would you write a rule to do a yellow list > lookup and if listed then bypass all other RBL tests? This would > increase speed and accuracy, and maybe get others inspired to build a > better yellow list than I have. add them to trusted networks -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The 3 biggets disasters: Hiroshima 45, Tschernobyl 86, Windows 95
Re: Suggested botnet rule scores
Nix wrote on Tue, 21 Aug 2007 09:27:11 +0100: > If anybody is really so stupid as to unconditionally block mail from > hosts merely because of string matching in their rDNS, I'm not sure they > *deserve* to see any email... No, it's stupid to send mail from "adsl" named ranges if you want to get your mail read. I think we can drop this discussion. It doesn't matter what you or I think, I just told you what's common practice and keeps getting "commoner". Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: Suggested botnet rule scores
Nix wrote on Tue, 21 Aug 2007 09:26:18 +0100: > It's not dynamic, but Botnet isn't just looking for dynamic IPed hosts, but > also hosts with e.g. the string `adsl' in its rDNS, even if that host happens > to have a static assignment. Well, if it's static they can give you rDNS and you can use a hostname of your choice for A and PTR. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: Addendum -- New spamassassin significant install problems
Also, Robert, take a look at this page: http://www.stearns.org/doc/spamassassin-setup.current.html local.cf has TONS of options, many of which are lightly documented. Pay close attention to bayes_path auto_whitelist_path Scalix is also a bit of an oddity when it comes to using spamass-milter (trust me, I'm a Scalix user myself). just try using the -b and -r flag together in the milter and watch the fun as the same message is regenerated, scanned, and mailed 20 odd times!!! Sorry, I got off track there! Just check out that link, a lot of good stuff. Hope it's helpful. Doug James Lay wrote: > > > > > On 8/17/07 2:13 PM, "Robert Moskowitz" <[EMAIL PROTECTED]> wrote: > >> Well maybe progress but things are still wrong. >> >> James Lay wrote: >>> >>> On 8/17/07 11:53 AM, "Robert Moskowitz" <[EMAIL PROTECTED]> wrote: >>> >>> More questions... James Lay wrote: > On 8/17/07 11:24 AM, "Robert Moskowitz" <[EMAIL PROTECTED]> wrote: > > > >> thanks for the quick reply. >> >> James Lay wrote: >> >> >>> On 8/17/07 10:58 AM, "Robert Moskowitz" <[EMAIL PROTECTED]> wrote: >>> >>> >>> >>> I left off below that I am using spam-milter 0.3.1-1 === I am new to this. I have been running my mail server in various flavors for 10+ years. Always trying to do better PLATFORM: Centos 5.0 1Ghz processor 512Mb memory Mail server:Scalix 11.1 MTA: Sendmail ver. 8.13.8 Spamassassin: 3.1.9 Webmin: 1.360 I followed the Scalix WiKi spamassassin install instructions: http://www.scalix.com/wiki/index.php?title=HowTos/SpamAssassin I am using Thunderbird 1.5.0.12, sending mail has a significant delay. The meter just sits there near the beginning for quite some time. Often, the sending times out. I read through much of the spamassassin WiKi. Nothing on performance seems to apply. When I go into the /var/log/maillog, I catch soom real problems. I enabled DNS checking (dns_available yes) and restarted spamassassin via webmin and caught the following in the maillog: Aug 17 12:13:28 z9m9z spamd[1381]: spamd: connection from localhost.localdomain [127.0.0.1] at port 48800 Aug 17 12:13:28 z9m9z spamd[1381]: spamd: setuid to root succeeded Aug 17 12:13:28 z9m9z spamd[1381]: spamd: still running as root: user not specified with -u, not found, or set to root, falling back to nobody at /usr/bin/spamd line 1161, line 4. >>> Robert, >>> >>> What's your startup line to start spamd look like? If you're >>> starting it >>> like: >>> >>> Spamd -u spamduser >>> >>> >>> >> from file: /etc/rc.d/init.d/spamassassin: >> >> # Set default spamd configuration. >> SPAMDOPTIONS="-d -c -m5 -H" >> SPAMD_PID=/var/run/spamd.pid >> >> and as you can see below, the actual command that got run was: >> >> /usr/bin/spamd -d -c -m5 -H -r /var/run/spamd.pid >> >> So no -u at all! >> >> >>> Is that user in your /etc/passwd file? >>> >>> >>> >> No spamduser. >> >> What files would I expect to see owned by spamduser. Oh, wait. If the >> user's not there, there better not be any files owned by it >> >> > Doh! > > It's running as root then > Gee, I thought that was clear from the maillog lines and running processes... But then it has those processes running as 'nobody' as well.. > ...no goodness there. > Why not? Security (it should be running chrooted then?)? other reasons? > I created a user and group > called spamfilter, then su'd to root, then su'd to spamfilter and ran > my > bayes and pyzor setups as spamfilter. > This makes no sense to me. You created the user spamfilter. You logged in as spamfilter, su'd to root and su'd to spamfiltre? What does that accomplish? Or are you logged in as James and trying to be spamfilter? If so does not: login spamfilter do the same thing? (I did a fair bit of unix back in '93, then nothing for over 10 years...). >>> >>> When you su to root, then su to spamfilter, you in effect are now logged >>> in >>> as that user. Because spamd will drop privileges to spamfilter
RE: Suggested botnet rule scores
> -Original Message- > From: Robert Fitzpatrick [mailto:[EMAIL PROTECTED] > Sent: Saturday, 18 August 2007 1:24 > To: users@spamassassin.apache.org > Subject: Re: Suggested botnet rule scores > > On Fri, 2007-08-17 at 16:31 +0200, Kai Schaetzl wrote: > > Robert Fitzpatrick wrote on Fri, 17 Aug 2007 08:46:25 -0400: > > > > > I tried 'spamassassin -D > results.txt < > > > myspamfile', but only gives me the results of the tests. > > > > spamassassin -D results.txt > > > > should do it. > > Still no good, I only get the message, no debug info...:( To get the debug info into a file, you need to send std_err output to file as debug output is really error output. You have 2 options: option 1 - pipe to less: spamassassin --lint -D < spamfile 2>&1 | less option 2 - redirect to text file: spamassassin --lint -D < spamfile 2>&1 > file.txt That ought to do it! Cheers, tkb.
Re: Using SpamAssassin to filter port 110
Just need to proxy POP3 through SpamAssassin. There are a number of ways to do that and some commercial products/services out there. On 8/20/07, Patman <[EMAIL PROTECTED]> wrote: > > > Hello, > > New to the forum. > > > Question, what I would like to do, is filter incoming traffic on port 110, > with a spamassassin server. Our organization is provided email by an > outside provider, as a service for doing our web page. What I would like > to > know is if SpamAssassin can be configured to go between my Cisco Pix box > and > say the network to filter port 110 for spam? Or does SpamAassassin have > to > be the IP that port 110 is routed to? I have used SpamAssassin on a in > house email server but never as I am attempting. Can it be done and how? > > Thanks > -- > View this message in context: > http://www.nabble.com/Using-SpamAssassin-to-filter-port-110-tf4299373.html#a12237459 > Sent from the SpamAssassin - Users mailing list archive at Nabble.com. > >
Re: Adding new header to SA
Matt Kettler wrote: yossim wrote: Hi forum, I am running MailScanner integrated with SA sendmail based. I would like to add a new header to SA report, so the next stage of spam filtering which is the trend micro will always forward the email the outlook junk mail. The header is as follows: X-TM-AS-Product-Ver: SMEX-7.0.0.1557-5.0.1021-15334.002. I searched in MailScanner and tried also in local.cf but with no results. Kindly regards, Yossi MailScanner doesn't offer any decent flexibility in header formats How about: Spam Actions = deliver header "X-TM-AS-Product-Ver: SMEX-7.0.0.1557-5.0.1021-15334.002" That should do what you need. Kind regards, Steve.
Re: Suggested botnet rule scores
John Thompson wrote on Mon, 20 Aug 2007 21:36:51 -0500: > Indeed. But some people have a religious objection to all things google, > so I hesitate to recommend it as a universal solution. Misunderstanding. I meant to say that you do not need a Google Mail account for this. That is why it is an "easy solution for most users". As I said: "nothing special". Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: Suggested botnet rule scores
On 18 Aug 2007, Kai Schaetzl said: > Nix wrote on Sat, 18 Aug 2007 15:14:53 +0100: > >> > Worms and spam have made it impossible for users to use their own >> > personal mail servers. >> >> Really? Fascinating, I'm doing the impossible. I had no idea. > > You should not read that literally. You can, of course do that. But many > providers will not let you out and many won't let you in. You are lucky > that this IP isn't in any dynamic list yet, but it's got "adsl" in the > hostname, so many will block it that way. So, in general, if you want to > be sure that your mail gets accepted you have to use your smarthost. Or > you gamble. Your choice. If anybody is really so stupid as to unconditionally block mail from hosts merely because of string matching in their rDNS, I'm not sure they *deserve* to see any email...
Re: Suggested botnet rule scores
On 18 Aug 2007, Kai Schaetzl stated: > Nix wrote on Sat, 18 Aug 2007 17:35:20 +0100: > >> Competent ISPs give you rDNS. (Really good ones delegate your rDNS to >> you.) > > So, your ISP is not competent? How would they give specific rDNS to > dynamic IP addresses, anyway? It's not dynamic, but Botnet isn't just looking for dynamic IPed hosts, but also hosts with e.g. the string `adsl' in its rDNS, even if that host happens to have a static assignment.
Re: Suggested botnet rule scores
On 18 Aug 2007, Magnus Holmgren said: > On Saturday 18 August 2007 16:14, Nix wrote: >> On 17 Aug 2007, Robert Fitzpatrick verbalised: >> > ISP's are blocking port 25 from anything but their own stuff, especially >> > dial-up. >> >> Mine blocks until you prove you're competent (or post a bond: I did the >> former) and gets really pissed if you then turn into a spamming monster. >> It seems to work. > > What did you have to do to prove you're competent? In my case, `know the ISP's sysadmin'. (It's clued userbase has quite a collegial atmosphere.)
RE: Bouncing emails from certain countries
>-Original Message- >From: John D. Hardin [mailto:[EMAIL PROTECTED] >Sent: Monday, August 20, 2007 7:14 PM >To: Chris >Cc: users@spamassassin.apache.org >Subject: Re: Bouncing emails from certain countries > >On Mon, 20 Aug 2007, Chris wrote: > >> Does anyone know of a way, that whenever someone emails >> from say, for example, Nigeria, Korea, Russia and >> China, the email gets returned to them, saying >> something like, "Email failed, no such email address" >> please ? >> >> Any help appreciated. > >That's kind of an extreme solution, and generally considered bad >practice. > >That said, there are geographic RBLs, for example countries.nerd.dk > >Here's what I do in SA: > >describe BL_COUNTRY_CN_1 Mail client in China >header BL_COUNTRY_CN_1 eval:check_rbl('china', >'cn.countries.nerd.dk') >scoreBL_COUNTRY_CN_1 0.5 >tflags BL_COUNTRY_CN_1 net > >Substitute the ISO country code as needed. > >If you want a hard reject, just move the DNSBL check into your MTA >with whatever reject message you like (assuming your MTA lets you >customize that for DNSBLs). > >-- > John Hardin KA7OHZ http://www.impsec.org/~jhardin/ > [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] > key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 >-- - > Men by their constitutions are naturally divided in to two parties: > 1. Those who fear and distrust the people and wish to draw all > powers from them into the hands of the higher classes. 2. Those who > identify themselves with the people, have confidence in them, > cherish and consider them as the most honest and safe, although not > the most wise, depository of the public interests. > -- Thomas Jefferson >-- - > 5 days until The 1928th anniversary of the destruction of Pompeii Hi John, Many thanks for the input on this - it's appreciated. John, whereabouts *precisely* do I input the text below please and is that all that needs to be done ? >describe BL_COUNTRY_CN_1 Mail client in China >header BL_COUNTRY_CN_1 eval:check_rbl('china', >'cn.countries.nerd.dk') >scoreBL_COUNTRY_CN_1 0.5 >tflags BL_COUNTRY_CN_1 net My scenario is that my website is on shared hosting servers, I don't have access to the root, but I do have access to Spamassasin. Chris.
Re: sa-update doesn't connect to updates.spamassassin.org
Ah, of course, the DNS response was already cached by pdnsd, and I can't figure out from the man page how to use tcpflow's udp options anyway. But more importantly, for my second question, http://www.ezmlm.org/ezman/ezman1.html says after long research, "To temporarily leave an ezmlm list, just unsubscribe. Subscribe again later, when you wish to receive messages or digests again. ezmlm processes such requests virtually instantaneously, removing the need for a temporary ``hold'' command." How wonderful.