filter blogspot
Dear all' in a day i get spam with url from blogspot i ' create my rulte uri BLOGSPOT_01 m;http://[a-z]{8,}\d{5,}\.blogspot\.com/$; describe BLOGSPOT_01 Throwaway blogspot domain scoreBLOGSPOT_01 6.0 why this rule don't effective tu blog this spam regards, Md Rivai etc' http://lucilehoosierno.blogspot.com http://michaeloathoutnp.blogspot.com http://marlastingleygc.blogspot.com -- View this message in context: http://www.nabble.com/filter-blogspot-tp15606537p15606537.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: No scoring because of not beeing tested ?
Le Wed, 20 Feb 2008 14:40:30 -0800, SM [EMAIL PROTECTED] a écrit : At 13:51 20-02-2008, Emmanuel Lesouef wrote: http://pastebin.com/m61564e4 The message hits RDNS_NONE, HTML_MESSAGE, URIBL_WS_SURBL, URIBL_JP_SURBL, URIBL_OB_SURBL, URIBL_SC_SURBL, URIBL_BLACK, URIBL_RHS_DOB. The total score is 12.6. Are you using SURBL ( http://wiki.apache.org/spamassassin/SURBL )? Regards, -sm I am using Spamassassin from debian-volatile (3.2.3-0.volatile1) so I'm using them but I think that's not the point ;) -- Emmanuel Lesouef DSI | CRBN t: 0231069671 e: [EMAIL PROTECTED]
Re: [OT] Bogus MX opinions
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Scheidell schrieb: | Postini uses it for their clients. | | They set up 4 'real' mx records (priority 100,200,300,400) that point to | real postini servers. They set up priority 500 that points to the | (firewalled) smtp server of the client. (as in firewalled to the world, | except to postini) Where do you get this information from? I only see Postini customers with four MX records at the priorities you mentioned, but none with a fifth MX record. Is this Postini's recommended procedure (as customers retain control of their DNS records), or a (new) requirement for their service? - -- Matthias -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (Darwin) iD8DBQFHvTzkxbHw2nyi/okRAocjAJ9amuCynMt5ENbil5If3eSz0cWM0wCfaUJ3 CzOr6Xz5rJwTqfN81fNgIs0= =NVsz -END PGP SIGNATURE-
Re: No scoring because of not beeing tested ?
Le Thu, 21 Feb 2008 00:57:55 +0100, Karsten Bräckelmann [EMAIL PROTECTED] a écrit : On Wed, 2008-02-20 at 14:40 -0800, SM wrote: At 13:51 20-02-2008, Emmanuel Lesouef wrote: http://pastebin.com/m61564e4 That's not a default SA header. X-Spam-Checker-Version is missing, and that X-Spam-Status is missing autolearn and version. Whatever calls SA, you want to check with that. Amavisd-new is calling spamassassin. Amavisd-new I assume, looking at the Received header right before the X-Spam stuff. And Amavisd-new is, what inserts these headers, too. It is not SA. But the spamassassin config is read from /etc/spamassassin ? The message hits RDNS_NONE, HTML_MESSAGE, URIBL_WS_SURBL, URIBL_JP_SURBL, URIBL_OB_SURBL, URIBL_SC_SURBL, URIBL_BLACK, URIBL_RHS_DOB. The total score is 12.6. Are you using SURBL ( http://wiki.apache.org/spamassassin/SURBL )? That's rather irrelevant. :) Emmanuel does not get *any* hit, whereas he definitely should have at least HTML_MESSAGE triggering, unless he disabled it. I didn't disabled any SA tests. guenther Thanks. -- Emmanuel Lesouef DSI | CRBN t: 0231069671 e: [EMAIL PROTECTED]
Re: URIBL
I remember there was a period of time when dozens of URI delist requests were submitted all together without any detail. Could that have been the case with your reports? Theo Van Dinter wrote: FWIW, I used to report FP domains to URIBL daily until I was told to stop because there were too many to deal with.
RE: URIBL
From: Theo Van Dinter [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 20, 2008 8:08 PM To: users@spamassassin.apache.org Subject: Re: URIBL On Wed, Feb 20, 2008 at 06:52:14PM +, Nigel Frankcom wrote: Anyway I heard talking about URIBL, which as I have understod is a quite different service (it blacklists 'domains' rather 'IPs'). But is it maybe a dangerous practice to fight spam? Anyway, does anyone suggest me to use URIBL? URI black lists have been around for several years now, and are generally very helpful at detecting spam. URIBL is one of the standard such black lists that are in use in SA, but there are others: SURBL (the oldest and most well known IMO) as well as Razor (also does message hashing but largely uses domain detection these days). (I may be forgetting someone else, sorry, these are just the ones that come to mind.) Here are my results for the past 60 days for the different groups: (you want the most spam% with the lowest ham%, aka: the higher the S/O the better) OVERALLSPAM% HAM% S/ORANK SCORE NAME 0 769001570130.931 0.000.00 (all messages) 0.0 93.0978 6.90220.931 0.000.00 (all messages as %) 65.312 70.1541 0.00531.000 1.000.00 URIBL_JP_SURBL 54.979 59.0545 0.00181.000 0.990.00 URIBL_SC_SURBL 33.513 35.9976 0.00181.000 0.980.00 URIBL_AB_SURBL 58.407 62.7323 0.06670.999 0.940.00 URIBL_OB_SURBL 43.120 46.3111 0.07370.998 0.930.00 URIBL_WS_SURBL 1.385 1.4874 0.00350.998 0.870.00 URIBL_PH_SURBL 0.758 0.8091 0.07020.920 0.780.00 URIBL_RED 71.920 77.1604 1.23310.984 0.710.00 URIBL_BLACK 1.545 1.4891 2.30470.393 0.520.00 URIBL_GREY 69.598 74.7537 0.06140.999 0.950.00 RAZOR2_CF_RANGE_E8_51_100 So URIBL is a bit more problematic than the others by itself, due to the high ham hit rate, but given SA's method of using multiple data sources to determine ham/spam, the false positive issue is minimized. I have looked at the SURBL site. If I have well understood I have to enable only the plugin with loadPlugin. Then I have to use the command 'urirhssub' of the plugin URIDNSBL to specify that I want to use SURBLs: urirhssub URIBL_JP_SURBL multi.surbl.org.A 64 body URIBL_JP_SURBL eval:check_uridnsbl('URIBL_JP_SURBL') describe URIBL_JP_SURBL Has URI in JP at http://www.surbl.org/lists.html tflagsURIBL_JP_SURBL net score URIBL_JP_SURBL3.0 Indeed, I have not understood a number of things: 1. Why I have to use 'URIBL_JP_SURBL' as 'NAME_OF_RULE'? Is it an arbitrary name or it exists a number of 'NAME_OF_RULE'? 2. Does the body command have to specify 'eval:check_uridnsbl('NAME_OF_RULE')' where 'NAME_OF_RULE' is the name of the rule specified as parameter of the command 'urirhssub'? 3. tflags? 4. score? 5. Is there any simpler URIDNSBL plugin setting? Maybe a default one? rocsca
Re: Nice girl like to chat spam
I have been running this rule for a day now, and am trapping the spams with rules 1 and 2. Curiously I have now starting picking these up on Bayes as well. Thanks for your help, and to everyone who responded. Kris Deugau wrote: # Nice girl wants to send pics, but only if you email the address in the body # start scoring at .5, see how that whacks'em. body NICE_GIRL_01 /Hello! I am (?:bored|tired) (?:today|this (?:afternoon|evening)|tonight)\./ describe NICE_GIRL_01 Nice girls don't spam score NICE_GIRL_01 0.8 body NICE_GIRL_02 /I am nice girl that would like to chat with you\./ describe NICE_GIRL_02 Nice girls don't spam score NICE_GIRL_02 0.8 body NICE_GIRL_03 /Email me at [^\s]{,74} only, because I am writing not from my personal email\./ describe NICE_GIRL_03 Nice girls don't spam score NICE_GIRL_03 0.8 # not actually the same spam, but same class/type body NICE_GIRL_04 /I will respond right away and send a pic and some of my info right away/ score NICE_GIRL_04 0.8 describe NICE_GIRL_04 Nice girls don't spam body NICE_GIRL_05 /Reply to me and tell me about yourself if you want to chat/ score NICE_GIRL_05 0.8 describe NICE_GIRL_05 Nice girls don't spam -- View this message in context: http://www.nabble.com/%22Nice-girl-like-to-chat%22-spam-tp15542352p15607229.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
RE: URIBL
Anyway I heard talking about URIBL, which as I have understod is a quite different service (it blacklists 'domains' rather 'IPs'). But is it maybe a dangerous practice to fight spam? Anyway, does anyone suggest me to use URIBL? Are you looking for a PRE QUEUE blacklist? Or a way to help score SpamAssassin emails? URIBL (I think from spamcop/ironport/cisco) is already included in modern SA builds. I don't know what you mean for 'PRE QUEUE blacklist'.. Anyway I would like to help SpamAssassin in scoring emails.. rocsca
RE: Why SA don't use bayes for some e-mails?
Robert - elists-2 wrote: Good question. Tough one without debugging your machine personally. Did you do any web searching for this? Have you considered upgrading to current SA 3.2.4 ? - rh Yes, I have been finding any info relative to this, but I can't found nothing. It's very weird. All messages are checked, but some of them doesn't have any mark of type XX_BAYES. I think that in the best case, a message should be mark, at least, with a 00_BAYES. I'm considering upgrading all my server, since it have and older version of SA and other software... but it's a heavy job. I need some time for plan the migration. I have asked about this because I thought that could be a problem of bad configuration. -- View this message in context: http://www.nabble.com/Why-SA-don%27t-use-bayes-for-some-e-mails--tp15585584p15607224.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: sa-learn not learning?
Hi John, Looks like yo replied directly to me. I couldn't find your reply on the list yet? At any rate... The Bayes DB has been learned and in effect for a long time - years before my time. No ID's have changed or the config that has caused this error. I add users to the whitelist - and use sa-learn - that's it. 1. [EMAIL PROTECTED] spam-email]$ sa-learn --dump magic 0.000 0 3 0 non-token data: bayes db version 0.000 0 797361 0 non-token data: nspam 0.000 0 665377 0 non-token data: nham 0.000 0 186483 0 non-token data: ntokens 0.000 0 1203464108 0 non-token data: oldest atime 0.000 0 1203536991 0 non-token data: newest atime 0.000 0 1203536443 0 non-token data: last journal sync atime 0.000 0 1203507419 0 non-token data: last expiry atime 0.000 0 43200 0 non-token data: last expire atime delta 0.000 0 101794 0 non-token data: last expire reduction count 2. sa-learn running as amavis. [EMAIL PROTECTED] spam-email]$ id uid=503(amavis) gid=504(amavis) groups=504(amavis) 3. I think we are filtering with Spamd - how can I tell - in a config file or dir? (/etc/mail./spamassasin or /var/amavis/.spamassassin) I have both binaries... [EMAIL PROTECTED] spam-email]$ which spamd /usr/bin/spamd [EMAIL PROTECTED] spam-email]$ which spamc /usr/bin/spamc 4. [EMAIL PROTECTED] root]# ps axu | grep spamd root 18580 0.0 0.1 1736 588 pts/2S14:00 0:00 grep spamd Scott Pichelman Systems Administrator Weir Minerals North America 2701 S Stoughton Rd Madison WI 53716 USA T: +(00)1 608 226 5615 F: +(00)1 608 221 5807 M: +(00)1 608 279 5056 E: [EMAIL PROTECTED] W: www.weirminerals.com John Hardin [EMAIL PROTECTED] 02/20/2008 01:43 PM To pichels [EMAIL PROTECTED] cc users@spamassassin.apache.org Subject Re: sa-learn not learning? On Wed, 20 Feb 2008, pichels wrote: But, I've tried learning any email after I recieved the Perl error message and none are being learned? And why is the spam being scored wioth spamassassin? I don't understand? Could my Bayes DB need to be re-synced or forced to expire some dups or ? Note that bayes needs at least 200 spams and 200 hams before is starts scoring. Have you learned that many yet? If you have kept your training corpus, you could delete the bayes database files entirely and start training over from scratch. My users are getting the nice girl emails and they are not scoring as I've shown in my post - why? They score with spamassassin debug but are not being stopped by SA in my maillogs? That smells like a user ID problem. If the user ID that spamassassin/spamd is running under is different than the user ID you are running sa-learn under, the bayes databases are different - you're training a database that SA isn't looking at. Verify that you are training using the same user as the user spamassassin/spamd is running as to filter mail. Can I provide more details? What does sa-learn --dump magic report? How are you filtering messages? spamc+spamd? What user is spamd running as? What user are you running sa-learn as? What (if anything) does ps axu | grep spamd report? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- [Small arms] are fundamentally dangerous and their removal from the equation either by control, neutralisation or removal is essential. The first step is to gain information on their numbers and whereabouts. -- the UN, who doesn't want to confiscate guns --- 2 days until George Washington's 276th Birthday This document should only be read by those persons to whom it is addressed and is not intended to be relied upon by any person without subsequent written confirmation of its contents. Accordingly, our company disclaim all responsibility and accept no liability (including in negligence) for the consequences for any person acting, or refraining from acting, on such information prior to the receipt by those persons of subsequent written confirmation., If you have received this E-mail message in error, please notify us immediately by telephone. Please also destroy and delete the message from your computer., Any form of reproduction, dissemination, copying, disclosure, modification, distribution and/or publication of this E-mail message is strictly prohibited.
Re: filter blogspot
mdrivai wrote: Dear all' in a day i get spam with url from blogspot i ' create my rulte uri BLOGSPOT_01 m;http://[a-z]{8,}\d{5,}\.blogspot\.com/$; describe BLOGSPOT_01 Throwaway blogspot domain scoreBLOGSPOT_01 6.0 why this rule don't effective tu blog this spam \d{5,} means 5 or more digits. the URLs you show below have no digits. regards, Md Rivai etc' http://lucilehoosierno.blogspot.com http://michaeloathoutnp.blogspot.com http://marlastingleygc.blogspot.com
Re: Bayes: What am I missing
comparity wrote: Do you use sa-update? No I don't. However, I have just run it. restarted spamassassin (service spamassassin restart), and I'll see what happens. Hi comparity, has you could fix the problem updating SA? -- View this message in context: http://www.nabble.com/Bayes%3A-What-am-I-missing-tp15542012p15607477.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: sa-learn not learning?
Hi, Scott, I'll give you my two cents here 2008/2/20, [EMAIL PROTECTED] [EMAIL PROTECTED]: Hi John, Looks like yo replied directly to me. I couldn't find your reply on the list yet? At any rate... The Bayes DB has been learned and in effect for a long time - years before my time. No ID's have changed or the config that has caused this error. I add users to the whitelist - and use sa-learn - that's it. 1. [EMAIL PROTECTED] spam-email]$ sa-learn --dump magic 0.000 0 3 0 non-token data: bayes db version 0.000 0 797361 0 non-token data: nspam 0.000 0 665377 0 non-token data: nham 0.000 0 186483 0 non-token data: ntokens 0.000 0 1203464108 0 non-token data: oldest atime 0.000 0 1203536991 0 non-token data: newest atime 0.000 0 1203536443 0 non-token data: last journal sync atime 0.000 0 1203507419 0 non-token data: last expiry atime 0.000 0 43200 0 non-token data: last expire atime delta 0.000 0 101794 0 non-token data: last expire reduction count 2. sa-learn running as amavis. [EMAIL PROTECTED] spam-email]$ id uid=503(amavis) gid=504(amavis) groups=504(amavis) 3. I think we are filtering with Spamd - how can I tell - in a config file or dir? (/etc/mail./spamassasin or /var/amavis/.spamassassin) I have both binaries... [EMAIL PROTECTED] spam-email]$ which spamd /usr/bin/spamd [EMAIL PROTECTED] spam-email]$ which spamc /usr/bin/spamc 4. [EMAIL PROTECTED] root]# ps axu | grep spamd root 18580 0.0 0.1 1736 588 pts/2S14:00 0:00 grep spamd Amavis loads the pertinent SA routines and code by itself, it doesn't call SA OR Spamd at any moment. From what I've read, you SA-Amavis duo has been running from some time ago. Anyway, I recommend you read the HOWTO by Gary V. It has some interesting notes about the users under Amavis runs, and other valuable material. It's located here: http://www200.pair.com/mecham/spam/ You could try running Amavis in debug mode (i.e., stop amavis and from the command line type: *# amavisd debug*-*sa * That will show you how Amavis treats the message. I do also suggest rising the detail level in Amavis' logs Anyway, my answer is getting totally OT here. You might have more luck asking in the Amavis list. Hope this helps, Luis Scott Pichelman Systems Administrator Weir Minerals North America 2701 S Stoughton Rd Madison WI 53716 USA T: +(00)1 608 226 5615 F: +(00)1 608 221 5807 M: +(00)1 608 279 5056 E: [EMAIL PROTECTED] W: www.weirminerals.com *John Hardin [EMAIL PROTECTED]* 02/20/2008 01:43 PM To pichels [EMAIL PROTECTED] cc users@spamassassin.apache.org Subject Re: sa-learn not learning? On Wed, 20 Feb 2008, pichels wrote: But, I've tried learning any email after I recieved the Perl error message and none are being learned? And why is the spam being scored wioth spamassassin? I don't understand? Could my Bayes DB need to be re-synced or forced to expire some dups or ? Note that bayes needs at least 200 spams and 200 hams before is starts scoring. Have you learned that many yet? If you have kept your training corpus, you could delete the bayes database files entirely and start training over from scratch. My users are getting the nice girl emails and they are not scoring as I've shown in my post - why? They score with spamassassin debug but are not being stopped by SA in my maillogs? That smells like a user ID problem. If the user ID that spamassassin/spamd is running under is different than the user ID you are running sa-learn under, the bayes databases are different - you're training a database that SA isn't looking at. Verify that you are training using the same user as the user spamassassin/spamd is running as to filter mail. Can I provide more details? What does sa-learn --dump magic report? How are you filtering messages? spamc+spamd? What user is spamd running as? What user are you running sa-learn as? What (if anything) does ps axu | grep spamd report? -- John Hardin KA7OHZ http://www.impsec.org/~jhardin/http://www.impsec.org/%7Ejhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- [Small arms] are fundamentally dangerous and their removal from the equation either by control, neutralisation or removal is essential. The first step is to gain information on their numbers and whereabouts. -- the UN, who doesn't want to confiscate guns --- 2 days until George Washington's 276th Birthday This document should only be read by
Re: URIBL
HI, Rocco 2008/2/21, Rocco Scappatura [EMAIL PROTECTED]: Anyway I heard talking about URIBL, which as I have understod is a quite different service (it blacklists 'domains' rather 'IPs'). But is it maybe a dangerous practice to fight spam? Anyway, does anyone suggest me to use URIBL? Are you looking for a PRE QUEUE blacklist? Or a way to help score SpamAssassin emails? URIBL (I think from spamcop/ironport/cisco) is already included in modern SA builds. I don't know what you mean for 'PRE QUEUE blacklist'.. Anyway I would like to help SpamAssassin in scoring emails.. He means a blacklist which runs IN the MTA, not at SA level, when the MTA has accepted the message. It rejects spammers as they connect, mostly based on their IP. I run Zen, from Spamhaus here, with very good results. rocsca Regards, Luis -- - GNU-GPL: May The Source Be With You... Linux Registered User #448382. When I grow up, I wanna be like Theo... -
Re: Bayes: What am I missing
spamis wrote: comparity wrote: Do you use sa-update? No I don't. However, I have just run it. restarted spamassassin (service spamassassin restart), and I'll see what happens. Hi comparity, has you could fix the problem updating SA? No, not as far as I can tell. I still get the same spam, and no indication that bayes has been applied. -- Mark Simon Comparity Net Computer Training Support Phone/Fax: 1300 726 000 mobile: 0411 246 672 email: [EMAIL PROTECTED] web: http://www.comparity.net Resume: http://mark.manngo.net Calendar: http://www.comparity.net/calendar.php
Re: mails not being received
Quoting ploppy [EMAIL PROTECTED]: i enabled SA on one of my accounts and since disabling, no mails for that account are being received. i did tail -f /var/log/exim_mainlog and they are showing as completed, but they are not being delivered. they are not even in th mail que. i am using exim 4.63 and didn't have this problem until i enabled SA and then disabled. i am hoping this is the correct forum for this message and any help would be appreciated because i have tried for the past 3 days to sort this out. i have reset back to defaults in whm and still no luck. thank you You may have better luck if you check with the company hosting your mailboxes. SpamAssassin is only a mail checker; it doesn't handle delivery of messages at all. Jeff C.
Installation on SpamAssassin
Hi to all members here, I'm a new member and would like to ask help on how to install SpamAssassin? Aside from working with an email server, will this work with Webmails like gmail, yahoo, or msn? thanks you in advance -- View this message in context: http://www.nabble.com/Installation-on-SpamAssassin-tp15610814p15610814.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
mails not being received
i enabled SA on one of my accounts and since disabling, no mails for that account are being received. i did tail -f /var/log/exim_mainlog and they are showing as completed, but they are not being delivered. they are not even in th mail que. i am using exim 4.63 and didn't have this problem until i enabled SA and then disabled. i am hoping this is the correct forum for this message and any help would be appreciated because i have tried for the past 3 days to sort this out. i have reset back to defaults in whm and still no luck. thank you WHM 11.15.0 cPanel 11.18.1-S20683 CENTOS Enterprise 4.6 i686 on standard - WHM X v3.1.0 exim 4.63 -- View this message in context: http://www.nabble.com/mails-not-being-received-tp15610804p15610804.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Errors all of a sudden?
I was watching my maillog this morning, trying to spot something else that wasn't quite working right when I noticed a bunch of errors similar to the following: Feb 19 11:09:26 rivendell spamd[987]: Subroutine DEAR_SOMETHING_one_line_body_te st redefined at /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_phras es.cf, rule DEAR_SOMETHING, line 4, GEN839 line 128. Feb 19 11:09:26 rivendell spamd[987]: Subroutine __DRUGS_ERECTILE_L_one_line_bod y_test redefined at /var/lib/spamassassin/3.002004/updates_spamassassin_org/20_d rugs.cf, rule __DRUGS_ERECTILE_L, line 6, GEN839 line 128. Feb 19 11:09:26 rivendell spamd[987]: Subroutine __CARD_DIRECT_WWW_ADDRESS_one_l ine_body_test redefined at /var/lib/spamassassin/3.002004/updates_spamassassin_o rg/80_additional.cf, rule __CARD_DIRECT_WWW_ADDRESS, line 6, GEN839 line 128. Feb 19 11:09:26 rivendell spamd[987]: Subroutine FB_HOMELOAN_one_line_body_test redefined at /var/lib/spamassassin/3.002004/updates_spamassassin_org/72_active.c f, rule FB_HOMELOAN, line 6, GEN839 line 128. From what I can see in the logs, they started on 19-Feb. I'm running SpamAssassin version 3.2.4 running on Perl version 5.8.8 in stock Fedora 8. I run the following command every 6 hours to update spamassassin: /usr/bin/sa-update /usr/bin/sa-compile /dev/null 2/tmp/sa-com pile.log kill -HUP $(cat /var/run/spamd.pid) When I run spamassassin --lint, no errors are reported. If it's useful, the output of spamassassin --lint -D is available at http://www.qtemp.net/spamassassin-lint.txt. Any thoughts? Thanks! david
autolearn vs sa-learn / Bayes
Hello list. Does the bayes system use a separate db for the autolearn mode? Today I noticed that my SA bayes has 50 spam and 45 ham mails learned, when I thought the db had a lot more, because bayes IS being used. # sa-learn --dump magic 0.000 0 3 0 non-token data: bayes db version *0.000 0 50 0 non-token data: nspam 0.000 0 45 0 non-token data: nham* # spamassassin -D --lint ... [7896] dbg: bayes: found bayes db version 3 [7896] dbg: bayes: DB journal sync: last sync: 0 *[7896] dbg: bayes: not available for scanning, only 50 spam(s) in bayes DB 200* ... In the beginning , after setting up SA, bayes was not being used. I had not trained it with anything yet, but my local.cf had: *use_bayes 1 use_bayes_rules 1 bayes_auto_learn 1* Reading the logs I noticed that it was only autolearning spam, not ham. So I added *bayes_auto_learn_threshold_nonspam 0.5* and it started learning ham. I monitored the logs and at some point incoming mails started triggering the BAYES_20, BAYES_50, BAYES_00, BAYES_95, BAYES_99, rules. So I figured it had autlearned the minimum needed amount of ham and spam (200) to start working. Every now and then I use sa-learn to feed some spam and ham to bayes, and I thought I was contributing to the same db. Those must be the 50 spam and 45 ham mails. So what's the deal? :) /Regards
Re: No scoring because of not beeing tested ?
On Thu, 2008-02-21 at 10:14 +0100, Emmanuel Lesouef wrote: Le Thu, 21 Feb 2008 00:57:55 +0100, Karsten Bräckelmann [EMAIL PROTECTED] a écrit : At 13:51 20-02-2008, Emmanuel Lesouef wrote: http://pastebin.com/m61564e4 That's not a default SA header. X-Spam-Checker-Version is missing, and that X-Spam-Status is missing autolearn and version. Whatever calls SA, you want to check with that. Amavisd-new is calling spamassassin. Amavisd-new I assume, looking at the Received header right before the X-Spam stuff. And Amavisd-new is, what inserts these headers, too. It is not SA. But the spamassassin config is read from /etc/spamassassin ? Yes. But this is not related to your issue, since in your OP you mentioned more and more spam with such a header. X-Spam-Status: No, score=0 required=5 tests=[none] So SA obviously works in the general case. Again, the header has been added by Amavisd-new, and that's where you need to dig. SA merely processes the mail. It's Amavis that adds the headers, it's Amavis that decides if a mail be scanned or not, and that likely enforces a timeout until it continues processing your mail and maintains its own whitelists, etc. You should go check your Amavis config and logs for any error messages regarding these specific mail. In particular, the tests=[none] has been added by Amavis, and it tries to tell you something that way. Sorry, I'm not an Amavis user. guenther -- char *t=[EMAIL PROTECTED]; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: autolearn vs sa-learn / Bayes
Hola, Diego 2008/2/21, Diego Pomatta [EMAIL PROTECTED]: Hello list. Does the bayes system use a separate db for the autolearn mode? Today I noticed that my SA bayes has 50 spam and 45 ham mails learned, when I thought the db had a lot more, because bayes IS being used. # sa-learn --dump magic 0.000 0 3 0 non-token data: bayes db version *0.000 0 50 0 non-token data: nspam 0.000 0 45 0 non-token data: nham* # spamassassin -D --lint ... [7896] dbg: bayes: found bayes db version 3 [7896] dbg: bayes: DB journal sync: last sync: 0 *[7896] dbg: bayes: not available for scanning, only 50 spam(s) in bayes DB 200* ... In the beginning , after setting up SA, bayes was not being used. I had not trained it with anything yet, but my local.cf had: *use_bayes 1 use_bayes_rules 1 bayes_auto_learn 1* Reading the logs I noticed that it was only autolearning spam, not ham. So I added *bayes_auto_learn_threshold_nonspam 0.5* and it started learning ham. I monitored the logs and at some point incoming mails started triggering the BAYES_20, BAYES_50, BAYES_00, BAYES_95, BAYES_99, rules. So I figured it had autlearned the minimum needed amount of ham and spam (200) to start working. Every now and then I use sa-learn to feed some spam and ham to bayes, and I thought I was contributing to the same db. Those must be the 50 spam and 45 ham mails. So what's the deal? :) /Regards Well, a couple of questions should be answered first: how do you call SA? under which user does SA run? are you learning those mails under the right user? Which version are you running? do you use sa-update? Provided those questions, let's move to the core of this issue: As you said, you only have 50 spams and 45 hams learned. You should feed more data to SA, to make the Bayes scores kick-in. Normally, Bayes scores help SA to get better filtering (at least, they do here, and I suspect they'll help you too, since as you work in Argentina, your main locale should be Spanish, and you'll be getting mostly Argentinian spam). Regards, Luis -- - GNU-GPL: May The Source Be With You... Linux Registered User #448382. When I grow up, I wanna be like Theo... -
RE: URIBL
Quoting Rocco Scappatura [EMAIL PROTECTED]: I have looked at the SURBL site. If I have well understood I have to enable only the plugin with loadPlugin. Then I have to use the command 'urirhssub' of the plugin URIDNSBL to specify that I want to use SURBLs: urirhssub URIBL_JP_SURBL multi.surbl.org.A 64 body URIBL_JP_SURBL eval:check_uridnsbl('URIBL_JP_SURBL') describe URIBL_JP_SURBL Has URI in JP at http://www.surbl.org/lists.html tflagsURIBL_JP_SURBL net score URIBL_JP_SURBL3.0 Indeed, I have not understood a number of things: 1. Why I have to use 'URIBL_JP_SURBL' as 'NAME_OF_RULE'? Is it an arbitrary name or it exists a number of 'NAME_OF_RULE'? 2. Does the body command have to specify 'eval:check_uridnsbl('NAME_OF_RULE')' where 'NAME_OF_RULE' is the name of the rule specified as parameter of the command 'urirhssub'? 3. tflags? 4. score? 5. Is there any simpler URIDNSBL plugin setting? Maybe a default one? rocsca If you want to use SURBL and URIBL all you need to do is enable network tests: http://www.surbl.org/faq.html#nettest URI checking is built into SpamAssassin. Jeff C.
Re: [OT] Bogus MX opinions
Marc Perkel wrote: Michael Scheidell wrote: Didn't qmail have a problem if it hit a 'dead' primary mx server first? Qmail has a problem if it gets a 421 on the lowest MX. But if the lowest MX is totally dead Qmail is fine with it. We issue tcp-reset via iptables and have never heard of any problems. Doing this also makes connecting servers fail out quickest, instead of waiting to timeout.
RE: URIBL
HI, Rocco Hi Luis, I don't know what you mean for 'PRE QUEUE blacklist'.. Anyway I would like to help SpamAssassin in scoring emails.. He means a blacklist which runs IN the MTA, not at SA level, when the MTA has accepted the message. It rejects spammers as they connect, mostly based on their IP. I run Zen, from Spamhaus here, with very good results. Indeed, I'm using PRE QUEUE blacklist too (Zen from spamhaus, like you). I get appreciable results, but during the last days I get an huge increase of rejected emails, but at the same time I get a major number of false negative. So I want to lower the number of false negative. rocsca
Re: URIBL
On Thu, Feb 21, 2008 at 09:57:17AM +0100, Rocco Scappatura wrote: I have looked at the SURBL site. If I have well understood I have to enable only the plugin with loadPlugin. ... and it's enabled by default, so you should be all set. :) Then I have to use the command 'urirhssub' of the plugin URIDNSBL to specify that I want to use SURBLs: ... the rules exist by default, so you should be all set. :) 1. Why I have to use 'URIBL_JP_SURBL' as 'NAME_OF_RULE'? Is it an arbitrary name or it exists a number of 'NAME_OF_RULE'? Rule names are arbitrary, but usually descriptive of what they do. URIBL_JP_SURBL means it's a URIBL rule, using the SURBL JP information. 3. tflags? $ perldoc Mail::SpamAssassin::Conf 4. score? See tflags. It's the score added to the message's total if the rule hits. 5. Is there any simpler URIDNSBL plugin setting? Maybe a default one? SURBL and URIBL are enabled by default. If you want to add your own for some other one, you can do that, but get your feet wet before you jump in. :) -- Randomly Selected Tagline: A Smith Wesson beats four aces. pgpNJtqS6Llt2.pgp Description: PGP signature
RE: URIBL
Quoting Rocco Scappatura [EMAIL PROTECTED]: I have looked at the SURBL site. If I have well understood I have to enable only the plugin with loadPlugin. Then I have to use the command 'urirhssub' of the plugin URIDNSBL to specify that I want to use SURBLs: urirhssub URIBL_JP_SURBL multi.surbl.org.A 64 body URIBL_JP_SURBL eval:check_uridnsbl('URIBL_JP_SURBL') describe URIBL_JP_SURBL Has URI in JP at http://www.surbl.org/lists.html tflagsURIBL_JP_SURBL net score URIBL_JP_SURBL3.0 Indeed, I have not understood a number of things: 1. Why I have to use 'URIBL_JP_SURBL' as 'NAME_OF_RULE'? Is it an arbitrary name or it exists a number of 'NAME_OF_RULE'? 2. Does the body command have to specify 'eval:check_uridnsbl('NAME_OF_RULE')' where 'NAME_OF_RULE' is the name of the rule specified as parameter of the command 'urirhssub'? 3. tflags? 4. score? 5. Is there any simpler URIDNSBL plugin setting? Maybe a default one? rocsca If you want to use SURBL and URIBL all you need to do is enable network tests: http://www.surbl.org/faq.html#nettest URI checking is built into SpamAssassin. $sa_local_tests_only = 0; I have already set in /etc/amavisd.conf: $sa_local_tests_only = 0; So you say that SURBL is already set? rocsca
Re: [OT] Bogus MX opinions
Richard Frovarp wrote: We issue tcp-reset via iptables and have never heard of any problems. Doing this also makes connecting servers fail out quickest, instead of waiting to timeout. Interesting. How do you do that?
SpamAssassin MIMEDefang High Load Average
I am currently running SpamAssassin 3.1.9 and MIMEDefang 2.6.3. I recently attempted an upgrade of SpamAssassin to the latest version (3.2.4) and in a matter of about 15 minutes, the load average on the server skyrocketed to over 20 and continued to grow. The output of the top command showed that numerous mimedefang processes had been spawned and they all just sat there eating up the CPU and memory. I reverted back to SpamAssassin 3.1.9 and everything returned to normal. In an attempt to troubleshoot this issue, I duplicated my Sendmail+MIMEDefang+SpamAssassin configuration onto a test machine. I have been unsuccessful in getting this problem to occur on the test machine. However, any attempt to upgrade SpamAssassin on my production server results in high load averages. At this point, I'm at a stand still in terms of what the next step should be in troubleshooting this problem. I am unsure if this is a SpamAssassin problem or MIMEDefang problem as both seem to be involved.I have been searching around on other forums and have not found anything. Any suggestions would be greatly appreciated. Please let me know if there are any configuration files I can post that will help in narrowing this down further. Thank you. -- View this message in context: http://www.nabble.com/SpamAssassin-MIMEDefang-High-Load-Average-tp15613833p15613833.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: autolearn vs sa-learn / Bayes
Luis Hernán Otegui escribió: Hola, Diego 2008/2/21, Diego Pomatta [EMAIL PROTECTED]: Hello list. Does the bayes system use a separate db for the autolearn mode? Today I noticed that my SA bayes has 50 spam and 45 ham mails learned, when I thought the db had a lot more, because bayes IS being used. # sa-learn --dump magic 0.000 0 3 0 non-token data: bayes db version *0.000 0 50 0 non-token data: nspam 0.000 0 45 0 non-token data: nham* # spamassassin -D --lint ... [7896] dbg: bayes: found bayes db version 3 [7896] dbg: bayes: DB journal sync: last sync: 0 *[7896] dbg: bayes: not available for scanning, only 50 spam(s) in bayes DB 200* ... In the beginning , after setting up SA, bayes was not being used. I had not trained it with anything yet, but my local.cf had: *use_bayes 1 use_bayes_rules 1 bayes_auto_learn 1* Reading the logs I noticed that it was only autolearning spam, not ham. So I added *bayes_auto_learn_threshold_nonspam 0.5* and it started learning ham. I monitored the logs and at some point incoming mails started triggering the BAYES_20, BAYES_50, BAYES_00, BAYES_95, BAYES_99, rules. So I figured it had autlearned the minimum needed amount of ham and spam (200) to start working. Every now and then I use sa-learn to feed some spam and ham to bayes, and I thought I was contributing to the same db. Those must be the 50 spam and 45 ham mails. So what's the deal? :) /Regards Well, a couple of questions should be answered first: how do you call SA? under which user does SA run? are you learning those mails under the right user? Which version are you running? do you use sa-update? Provided those questions, let's move to the core of this issue: As you said, you only have 50 spams and 45 hams learned. You should feed more data to SA, to make the Bayes scores kick-in. Normally, Bayes scores help SA to get better filtering (at least, they do here, and I suspect they'll help you too, since as you work in Argentina, your main locale should be Spanish, and you'll be getting mostly Argentinian spam). Regards, Luis Hey Luis. I forgot to add that info, duh. The setup here is qmail 3.05 simscan 1.3.1 SpamAssassin 3.2.1 (spamd/spamc) sa-update is cron'ed to run daily ( no parameters = default channel - updates.spamassassin.org, right? ) Simscan calls spamc under the user simscan. I did the manual feeding to sa-learn as root. so... ummm. I guess root has the separate database and I've been using sa-learn with the wrong user...? Ook, time to remove head from butt, and insert foot in mouth *lol* Regards Where are you from Luis?
Re: [OT] Bogus MX opinions
Marc Perkel wrote: Richard Frovarp wrote: We issue tcp-reset via iptables and have never heard of any problems. Doing this also makes connecting servers fail out quickest, instead of waiting to timeout. Interesting. How do you do that? -A ports_deny -d de.st.i.p -p tcp -m tcp --dport 25 -j REJECT --reject-with tcp-reset
Re: [OT] Bogus MX opinions
On Wed, 20 Feb 2008, Aaron Wolfe wrote: Quotes from this thread (and the nolisting site which was posted as a response): Michael Scheidell - Do NOT use a bogus mx as your lowest priority. Bowie Bailey - I would say that it is too risky to put a non-smtp host as your primary MX nolisting.org - longterm use has yet to yield a single false positive Marc Perkel - YES - it works... I have had no false positives at all using this. I am interested in this technique, and have been for some time. It seems like every discussion of it leads to a group saying you will lose mail and a group saying you will not lose mail. Is there any way to resolve this once and for all? It's hard for me to see why either side would misrepresent the truth, but obviously someone is wrong here. One thing I notice (and I certainly could be wrong here)... the proponents seem to be actually using nolisting and claiming no problems, whilst those against the idea seem to be predicting problems rather than reporting on actual issues they have experienced. -Aaron OK, here's a real-world report of an actual issue that we experienced using a modified Marc Perkel method (actually almost exactly the same as Richard Frovarp's setup: firwalled primary, open secondary, 421'ed tertiary). We got complaints from one of our users about missing mail from a local governmental site that was being delivered before I had implemented the firwalled primary setup. After doing a lot of investigation (both at our side and by the admin of the afflicted sending system) it turned out that their mail server was behind a smart firewall that would only let smtp traffic -out- going to the first MX record of a smtp stream (the damnd firewall was making the determination ;(. The mail admin had a compliant server but he had no luck getting the network admins to fix/change their firewall, so effectivly legimate mail was being blocked by that setup. So when Marc Perkel says: YES - it works... I have had no false positives at all using this. it means that he has not yet run into this kind of senario (or doesn't know that he has). If you want to run that kind of config, as Richard Frovarp found, you'll have to have some kind of mechanism for handling exceptions and problem children. -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
Re: [OT] Bogus MX opinions
David B Funk wrote: On Wed, 20 Feb 2008, Aaron Wolfe wrote: Quotes from this thread (and the nolisting site which was posted as a response): Michael Scheidell - Do NOT use a bogus mx as your lowest priority. Bowie Bailey - I would say that it is too risky to put a non-smtp host as your primary MX nolisting.org - longterm use has yet to yield a single false positive Marc Perkel - YES - it works... I have had no false positives at all using this. I am interested in this technique, and have been for some time. It seems like every discussion of it leads to a group saying you will lose mail and a group saying you will not lose mail. Is there any way to resolve this once and for all? It's hard for me to see why either side would misrepresent the truth, but obviously someone is wrong here. One thing I notice (and I certainly could be wrong here)... the proponents seem to be actually using nolisting and claiming no problems, whilst those against the idea seem to be predicting problems rather than reporting on actual issues they have experienced. -Aaron OK, here's a real-world report of an actual issue that we experienced using a modified Marc Perkel method (actually almost exactly the same as Richard Frovarp's setup: firwalled primary, open secondary, 421'ed tertiary). We got complaints from one of our users about missing mail from a local governmental site that was being delivered before I had implemented the firwalled primary setup. After doing a lot of investigation (both at our side and by the admin of the afflicted sending system) it turned out that their mail server was behind a smart firewall that would only let smtp traffic -out- going to the first MX record of a smtp stream (the damnd firewall was making the determination ;(. The mail admin had a compliant server but he had no luck getting the network admins to fix/change their firewall, so effectivly legimate mail was being blocked by that setup. So when Marc Perkel says: YES - it works... I have had no false positives at all using this. it means that he has not yet run into this kind of senario (or doesn't know that he has). If you want to run that kind of config, as Richard Frovarp found, you'll have to have some kind of mechanism for handling exceptions and problem children. I would add that bogus primary MX settings have this issue. However bogus MX on the high numbered end are completely safe. real.domain.com 10 backup.domain.com 20 bogus.domain.com 30 This would be totally safe. Here's a little script for processing exceptions if you ise a bogus primary MX for ipaddress in $( grep -v ^# /etc/whiteip.txt | awk '{print $1}' ); do /sbin/iptables -v -I INPUT -s $ipaddress -d primary ip -p tcp --dport 25 -j ACCEPT done
Re: [OT] Bogus MX opinions
Mark Johnson wrote: Marc Perkel wrote: Because there is occasionally some server doing something very weird you might have to open up port 25 one some specific IP who is running something really dumb. I think I've had to do this only once or twice. But once you open up port 25 to the problem user you solved the problem. For the most part if you do an MX sandwich as above you'll get rid of 80% of your spam and not lose good email. If you are fearful of going all the way then just do the higher numbered MX and leave the bottom as is. This has been interesting and I want to give this a try. What's the easiest way to give out a 421 on a bogus MX and log the attempt? Build a separate server? Use an existing server and run a service on another port? I've got extra IP's but don't want to over complicate the process. I'm using Exim and I have it listening on several IP addresses. If you aren't using Exim then you'll have to get someone to help you. defercondition = ${if match{$interface_address}{69.50.231.160}} You could just point it to a dead IP address which is the simple way to do it.
Re: [OT] Bogus MX opinions
Marc Perkel wrote: I'm using Exim and I have it listening on several IP addresses. If you aren't using Exim then you'll have to get someone to help you. defercondition = ${if match{$interface_address}{69.50.231.160}} You could just point it to a dead IP address which is the simple way to do it. I'll try it this way. I'd like to be able to log the connection attempts to see what's going on. It sounds like you run a number of servers. What are you doing to combine your logging information? Thanks for the advice! -- Mark Johnson http://www.astroshapes.com/information-technology/blog
Re: [OT] Bogus MX opinions
Mark Johnson wrote: Marc Perkel wrote: I'm using Exim and I have it listening on several IP addresses. If you aren't using Exim then you'll have to get someone to help you. defercondition = ${if match{$interface_address}{69.50.231.160}} You could just point it to a dead IP address which is the simple way to do it. I'll try it this way. I'd like to be able to log the connection attempts to see what's going on. It sounds like you run a number of servers. What are you doing to combine your logging information? Thanks for the advice! I have a main primary server that has the primary MX and all bogus MX. SA and MySQL are on separate servers. I also have 4 other backup servers 3 separate locations that handle load spikes and process email should the main colo die for some reason. So I have a bogus level, a primary level, a ring of secondary backup servers and a bunch of high numbered bogus MX records.
Re: [OT] Bogus MX opinions
Marc Perkel wrote: Because there is occasionally some server doing something very weird you might have to open up port 25 one some specific IP who is running something really dumb. I think I've had to do this only once or twice. But once you open up port 25 to the problem user you solved the problem. For the most part if you do an MX sandwich as above you'll get rid of 80% of your spam and not lose good email. If you are fearful of going all the way then just do the higher numbered MX and leave the bottom as is. This has been interesting and I want to give this a try. What's the easiest way to give out a 421 on a bogus MX and log the attempt? Build a separate server? Use an existing server and run a service on another port? I've got extra IP's but don't want to over complicate the process. -- Mark Johnson http://www.astroshapes.com/information-technology/blog/
Bogus MX - blacklist service viable?
What's everyone's opinion on something like: defermx.domain.com bogusmx.domain.com provide this hosted (i.e. I'm thinking of offering), but instead of ONLY log it somehow feed / create a blacklist based on this? I'm not as familiar with blacklists as many of you, but the network / smtp / logging side of this is easy for me to implement. I'm thinking make this a very public (free) service to gather data for the blacklist, anyone could list the mx. Thoughts? Steve Radich - http://www.aspdeveloper.net / http://www.virtualserverfaq.com BitShop, Inc. - Development, Training, Hosting, Troubleshooting - http://www.bitshop.com
Re: Bogus MX - blacklist service viable?
Hi! provide this hosted (i.e. I'm thinking of offering), but instead of ONLY log it somehow feed / create a blacklist based on this? I'm not as familiar with blacklists as many of you, but the network / smtp / logging side of this is easy for me to implement. I'm thinking make this a very public (free) service to gather data for the blacklist, anyone could list the mx. Whats wrong with : http://www.rfc-ignorant.org/tools/submit_form.php?table=bogusmx Bye, Raymond.
Re: Bogus MX - blacklist service viable?
On Thu, 2008-02-21 at 21:58 +0100, Raymond Dijkxhoorn wrote: Hi! provide this hosted (i.e. I'm thinking of offering), but instead of ONLY log it somehow feed / create a blacklist based on this? I'm not as familiar with blacklists as many of you, but the network / smtp / logging side of this is easy for me to implement. I'm thinking make this a very public (free) service to gather data for the blacklist, anyone could list the mx. Whats wrong with : http://www.rfc-ignorant.org/tools/submit_form.php?table=bogusmx wrong direction. That lists domains that don't have their MX records set up properly, not ip addresses that attempt to send mail to sites that are not MX records. -- Daniel J McDonald, CCIE #2495, CISSP #78281, CNX Austin Energy http://www.austinenergy.com signature.asc Description: This is a digitally signed message part
Re: Bogus MX - blacklist service viable?
Steve Radich wrote: What's everyone's opinion on something like: defermx.domain.com bogusmx.domain.com provide this hosted (i.e. I'm thinking of offering), but instead of ONLY log it somehow feed / create a blacklist based on this? I'm not as familiar with blacklists as many of you, but the network / smtp / logging side of this is easy for me to implement. I'm thinking make this a very public (free) service to gather data for the blacklist, anyone could list the mx. Thoughts? Steve Radich - http://www.aspdeveloper.net / http://www.virtualserverfaq.com BitShop, Inc. - Development, Training, Hosting, Troubleshooting - http://www.bitshop.com I'm confused. What are you trying to accomplish?
RE: Installation on SpamAssassin
-Original Message- From: jeco [mailto:[EMAIL PROTECTED] Sent: Friday, 22 February 2008 1:55 a.m. To: users@spamassassin.apache.org Subject: Installation on SpamAssassin Hi to all members here, I'm a new member and would like to ask help on how to install SpamAssassin? Aside from working with an email server, will this work with Webmails like gmail, yahoo, or msn? thanks you in advance -- View this message in context: http://www.nabble.com/Installation-on- SpamAssassin-tp15610814p15610814.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com. Hi jeco, You ought to visit http://spamassassin.apache.org and find out a bit more about it. The installation of SA is quite an easy thing (though I would suggest doing it via package management, and not building it from source) but the configuration is a different story. You've not supplied many details. Are you installing a fresh mail server at the same time? Or are you installing Spamassassin into a live/functional Mail Server? Do you know what MTA you're using, or are going to be using? You really need to answer these questions for yourself, and then find some instructions for configuring SA for your setup/distribution/Mail Transport Agent. It is when you are having problems configuring this that the mailing list can help you. So, to summarise, find out what SA can and can't do for you from it's website. Figure out how you want to use it, and what you are deploying it upon. If you are going to be putting SA on a live server, it would pay to consult with this list first, but you really need to supply some more details. Cheers, Mike
Re: Bogus MX - blacklist service viable?
Hi! defermx.domain.com bogusmx.domain.com provide this hosted (i.e. I'm thinking of offering), but instead of ONLY log it somehow feed / create a blacklist based on this? I'm not as familiar with blacklists as many of you, but the network / smtp / logging side of this is easy for me to implement. I'm thinking make this a very public (free) service to gather data for the blacklist, anyone could list the mx. Thoughts? I'm confused. What are you trying to accomplish? I thought i was lost, but even if Marc can follow you ;) eh eh Bye, Raymond.
Re: Time to make multi.uribl.org optional rather than default?
Nigel Frankcom wrote: Some stick a donate option on their sites, which I suspect is rarely used. Others don't even do that. I'm betting that URIBL is closing in on enough donations (via the PayPal button) to buy 128MB of SDRAM soon! I know they were getting close. :) I must admit to being horrified that anyone EXPECTS this for free. That reminds me of a mail I once received admonishing me for putting a link to my Amazon wish list in the SA CREDITS file a year or so after I started working on SA (not that having the link makes a difference, but that's fine, no one is forcing me or anyone else to do anything). Daryl
Re: [OT] Bogus MX opinions
Marc Perkel wrote: David B Funk wrote: On Wed, 20 Feb 2008, Aaron Wolfe wrote: Quotes from this thread (and the nolisting site which was posted as a response): Michael Scheidell - Do NOT use a bogus mx as your lowest priority. Bowie Bailey - I would say that it is too risky to put a non-smtp host as your primary MX nolisting.org - longterm use has yet to yield a single false positive Marc Perkel - YES - it works... I have had no false positives at all using this. I am interested in this technique, and have been for some time. It seems like every discussion of it leads to a group saying you will lose mail and a group saying you will not lose mail. Is there any way to resolve this once and for all? It's hard for me to see why either side would misrepresent the truth, but obviously someone is wrong here. One thing I notice (and I certainly could be wrong here)... the proponents seem to be actually using nolisting and claiming no problems, whilst those against the idea seem to be predicting problems rather than reporting on actual issues they have experienced. -Aaron OK, here's a real-world report of an actual issue that we experienced using a modified Marc Perkel method (actually almost exactly the same as Richard Frovarp's setup: firwalled primary, open secondary, 421'ed tertiary). We got complaints from one of our users about missing mail from a local governmental site that was being delivered before I had implemented the firwalled primary setup. After doing a lot of investigation (both at our side and by the admin of the afflicted sending system) it turned out that their mail server was behind a smart firewall that would only let smtp traffic -out- going to the first MX record of a smtp stream (the damnd firewall was making the determination ;(. The mail admin had a compliant server but he had no luck getting the network admins to fix/change their firewall, so effectivly legimate mail was being blocked by that setup. So when Marc Perkel says: YES - it works... I have had no false positives at all using this. it means that he has not yet run into this kind of senario (or doesn't know that he has). If you want to run that kind of config, as Richard Frovarp found, you'll have to have some kind of mechanism for handling exceptions and problem children. I would add that bogus primary MX settings have this issue. However bogus MX on the high numbered end are completely safe. real.domain.com 10 backup.domain.com 20 bogus.domain.com 30 This would be totally safe. No. it is not totally safe. I will be happy to see your argumentation that this would be safe. until then, ... Here's a little script for processing exceptions if you ise a bogus primary MX for ipaddress in $( grep -v ^# /etc/whiteip.txt | awk '{print $1}' ); do /sbin/iptables -v -I INPUT -s $ipaddress -d primary ip -p tcp --dport 25 -j ACCEPT done
Re: Bogus MX - blacklist service viable?
McDonald, Dan wrote: On Thu, 2008-02-21 at 21:58 +0100, Raymond Dijkxhoorn wrote: Hi! provide this hosted (i.e. I'm thinking of offering), but instead of ONLY log it somehow feed / create a blacklist based on this? I'm not as familiar with blacklists as many of you, but the network / smtp / logging side of this is easy for me to implement. I'm thinking make this a very public (free) service to gather data for the blacklist, anyone could list the mx. Whats wrong with : http://www.rfc-ignorant.org/tools/submit_form.php?table=bogusmx wrong direction. That lists domains that don't have their MX records set up properly, not ip addresses that attempt to send mail to sites that are not MX records. and the difference is? if you force our servers to retry each time we connect to your server, then we will find other people to talk to (in short, we'll BL you) unless you ask the IETF to modify SMTP by adding a knocking requirement.
Re: [OT] Bogus MX opinions
I guess just customers who want a fall back in case postini goes down. host -t mx hormel.com hormel.com mail is handled by 100 hormel.com.mail5.psmtp.com. hormel.com mail is handled by 200 hormel.com.mail6.psmtp.com. hormel.com mail is handled by 300 hormel.com.mail7.psmtp.com. hormel.com mail is handled by 400 hormel.com.mail8.psmtp.com. Hormel.com is only using 4. I have seen 5 a lot. I didn't check and do statistics on which ones do and which ones don't. -- Michael Scheidell, CTO |SECNAP Network Security Winner 2008 Network Products Guide Hot Companies FreeBsd SpamAssassin Ports maintainer Charter member, ICSA labs anti-spam consortium _ This email has been scanned and certified safe by SpammerTrap(tm). For Information please see http://www.spammertrap.com _
RE: Bogus MX - blacklist service viable?
Sorry; apparently I was unclear. MX records I'm saying as follows: 100 - Real 200 - Real perhaps, as many real as you want 300 - Bogus - one that blocks port 25 with tcp reset for example 400 - accept port, logs ip - blacklist (not to be scored aggressively at all) with a 421/retry. If a whole bunch of places are seeing the same smtp server hitting this 400 level MX then I'm saying that seems like a useful thing to be included in a blacklist using a low score in sa. The point was to offer the 400 level mx as a free service to log the ips quickly for those that don't want to set up the server themselves. In theory the 400 level MX wouldn't be used by real smtp very often, hence it's likely a spammer and therefore the IP could be auto blacklisted. Realize I'm NOT proposing we block on this, just score based on this list. Steve Radich - http://www.aspdeveloper.net / http://www.virtualserverfaq.com BitShop, Inc. - Development, Training, Hosting, Troubleshooting - http://www.bitshop.com -Original Message- From: mouss [mailto:[EMAIL PROTECTED] Sent: Thursday, February 21, 2008 8:25 PM Cc: users@spamassassin.apache.org Subject: Re: Bogus MX - blacklist service viable? McDonald, Dan wrote: On Thu, 2008-02-21 at 21:58 +0100, Raymond Dijkxhoorn wrote: Hi! provide this hosted (i.e. I'm thinking of offering), but instead of ONLY log it somehow feed / create a blacklist based on this? I'm not as familiar with blacklists as many of you, but the network / smtp / logging side of this is easy for me to implement. I'm thinking make this a very public (free) service to gather data for the blacklist, anyone could list the mx. Whats wrong with : http://www.rfc-ignorant.org/tools/submit_form.php?table=bogusmx wrong direction. That lists domains that don't have their MX records set up properly, not ip addresses that attempt to send mail to sites that are not MX records. and the difference is? if you force our servers to retry each time we connect to your server, then we will find other people to talk to (in short, we'll BL you) unless you ask the IETF to modify SMTP by adding a knocking requirement.
Re: Bogus MX - blacklist service viable?
Steve Radich wrote: Sorry; apparently I was unclear. MX records I'm saying as follows: 100 - Real 200 - Real perhaps, as many real as you want 300 - Bogus - one that blocks port 25 with tcp reset for example 400 - accept port, logs ip - blacklist (not to be scored aggressively at all) with a 421/retry. If a whole bunch of places are seeing the same smtp server hitting this 400 level MX then I'm saying that seems like a useful thing to be included in a blacklist using a low score in sa. The point was to offer the 400 level mx as a free service to log the ips quickly for those that don't want to set up the server themselves. In theory the 400 level MX wouldn't be used by real smtp very often, hence it's likely a spammer and therefore the IP could be auto blacklisted. Realize I'm NOT proposing we block on this, just score based on this list. Steve Radich - http://www.aspdeveloper.net / http://www.virtualserverfaq.com BitShop, Inc. - Development, Training, Hosting, Troubleshooting - http://www.bitshop.com I'm actually doing something like that. What I do is track hits on the highest MX that has not hit the lowest numbered MX, then because I use Exim I can track which IP addresses don't send the QUIT command to close the connection. This combination creates a highly reliable blacklist and I'm currently tracking about 1.1 million virus infected spambots that have tried to spam me in the last 4 days. It's my hostkarma list.
Re: Bogus MX - blacklist service viable?
On Thu, Feb 21, 2008 at 11:47 PM, Marc Perkel [EMAIL PROTECTED] wrote: Steve Radich wrote: Sorry; apparently I was unclear. MX records I'm saying as follows: 100 - Real 200 - Real perhaps, as many real as you want 300 - Bogus - one that blocks port 25 with tcp reset for example 400 - accept port, logs ip - blacklist (not to be scored aggressively at all) with a 421/retry. If a whole bunch of places are seeing the same smtp server hitting this 400 level MX then I'm saying that seems like a useful thing to be included in a blacklist using a low score in sa. The point was to offer the 400 level mx as a free service to log the ips quickly for those that don't want to set up the server themselves. In theory the 400 level MX wouldn't be used by real smtp very often, hence it's likely a spammer and therefore the IP could be auto blacklisted. Realize I'm NOT proposing we block on this, just score based on this list. Steve Radich - http://www.aspdeveloper.net / http://www.virtualserverfaq.com BitShop, Inc. - Development, Training, Hosting, Troubleshooting - http://www.bitshop.com I'm actually doing something like that. What I do is track hits on the highest MX that has not hit the lowest numbered MX, then because I use Exim I can track which IP addresses don't send the QUIT command to close I am thinking about playing around with the same type of thing here.. Is this any different from looking for lost connection after DATA or lost connection after RCPT errors in a postfix server's logs? Not sure why you can detect this because you run Exim specifically. Or am I missing something? the connection. This combination creates a highly reliable blacklist and I'm currently tracking about 1.1 million virus infected spambots that have tried to spam me in the last 4 days. It's my hostkarma list. Sounds interesting.. do you block based on this list or just use it for scoring in SA or something like that? What is the false positve rate? -Aaron
RE: Installation on SpamAssassin
ok, thanks for the reply Mike, I'll try to explore the link you've given and learn first the basics. Sorry, because I'm just a newbie with this Anti Spam and would like to know more about it. Thanks and good day Michael Hutchinson-3 wrote: -Original Message- From: jeco [mailto:[EMAIL PROTECTED] Sent: Friday, 22 February 2008 1:55 a.m. To: users@spamassassin.apache.org Subject: Installation on SpamAssassin Hi to all members here, I'm a new member and would like to ask help on how to install SpamAssassin? Aside from working with an email server, will this work with Webmails like gmail, yahoo, or msn? thanks you in advance -- View this message in context: http://www.nabble.com/Installation-on- SpamAssassin-tp15610814p15610814.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com. Hi jeco, You ought to visit http://spamassassin.apache.org and find out a bit more about it. The installation of SA is quite an easy thing (though I would suggest doing it via package management, and not building it from source) but the configuration is a different story. You've not supplied many details. Are you installing a fresh mail server at the same time? Or are you installing Spamassassin into a live/functional Mail Server? Do you know what MTA you're using, or are going to be using? You really need to answer these questions for yourself, and then find some instructions for configuring SA for your setup/distribution/Mail Transport Agent. It is when you are having problems configuring this that the mailing list can help you. So, to summarise, find out what SA can and can't do for you from it's website. Figure out how you want to use it, and what you are deploying it upon. If you are going to be putting SA on a live server, it would pay to consult with this list first, but you really need to supply some more details. Cheers, Mike -- View this message in context: http://www.nabble.com/Installation-on-SpamAssassin-tp15610814p15628954.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.