HABEAS_ACCREDITED_COI

[Anthony Peacock]

Hi,

I have just received a number of spam emails which got through the 
filtering system because they hit the HABEAS_ACCREDITED_COI rule, which 
give them -8.  They all came to role based addresses that are never used 
to outgoing emails and would certainly never be subscribed to opt in 
email lists.


I have had a look around the http://www.habeas.com/ website and can't 
really see how to check the company in question, or make a complaint. 
There is a form for asking them to ask the company to remove these 
addresses from their mailing list, but I don't want to have to do that, 
I want to complain about the company.


Does anyone know anything about this.  At this stage I am planning on 
changing the score for all HABEAS_ACCREDITED_??? rules to 0, to make 
them neutral to the score.


--
Anthony Peacock
CHIME, Royal Free & University College Medical School
WWW:http://www.chime.ucl.ac.uk/~rmhiajp/
Study at CHIME in 2008. http://www.chime.ucl.ac.uk/study-health-informatics/

Re: HABEAS_ACCREDITED_COI

[Benny Pedersen]

On Tue, February 26, 2008 09:49, Anthony Peacock wrote:

> Does anyone know anything about this.  At this stage I am planning on
> changing the score for all HABEAS_ACCREDITED_??? rules to 0, to make
> them neutral to the score.

score 0 disables the test

Re: HABEAS_ACCREDITED_COI

[Jason Haar]

Anthony Peacock wrote:


I have had a look around the http://www.habeas.com/ website and can't 
really see how to check the company in question, or make a complaint. 
There is a form for asking them to ask the company to remove these 
addresses from their mailing list, but I don't want to have to do 
that, I want to complain about the company.
This is a "me too". I had the same problem and came to exactly the same 
conclusion: there's no way I could find to notify them that one of their 
supposedly squeaky-clean customers is sending spam. I'm pushing their 
score down to 0 too.


Grr

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: HABEAS_ACCREDITED_COI

[Justin Mason]

Jason Haar writes:
> Anthony Peacock wrote:
> >
> > I have had a look around the http://www.habeas.com/ website and can't 
> > really see how to check the company in question, or make a complaint. 
> > There is a form for asking them to ask the company to remove these 
> > addresses from their mailing list, but I don't want to have to do 
> > that, I want to complain about the company.
> This is a "me too". I had the same problem and came to exactly the same 
> conclusion: there's no way I could find to notify them that one of their 
> supposedly squeaky-clean customers is sending spam. I'm pushing their 
> score down to 0 too.

No way you could find?  look harder guys ;)

at the top of www.habeas.com, 'Support', then 'Give Feedback on Habeas
Certified Senders' brings you to this page:

  http://www.habeas.com/en-US/Company_Feedback.php

That page says you can also just forward it to complaints /at/ habeas.com.

'HABEAS_ACCREDITED_COI' is supposed to require confirmed opt-in.  They
should LART these senders with a big stick.

--j.

Re: HABEAS_ACCREDITED_COI

[Yet Another Ninja]

On 2/26/2008 10:57 AM, Justin Mason wrote:

Jason Haar writes:

Anthony Peacock wrote:
I have had a look around the http://www.habeas.com/ website and can't 
really see how to check the company in question, or make a complaint. 
There is a form for asking them to ask the company to remove these 
addresses from their mailing list, but I don't want to have to do 
that, I want to complain about the company.
This is a "me too". I had the same problem and came to exactly the same 
conclusion: there's no way I could find to notify them that one of their 
supposedly squeaky-clean customers is sending spam. I'm pushing their 
score down to 0 too.


No way you could find?  look harder guys ;)

at the top of www.habeas.com, 'Support', then 'Give Feedback on Habeas
Certified Senders' brings you to this page:

  http://www.habeas.com/en-US/Company_Feedback.php

That page says you can also just forward it to complaints /at/ habeas.com.

'HABEAS_ACCREDITED_COI' is supposed to require confirmed opt-in.  They
should LART these senders with a big stick.


I would personally welcome all these "certifier" rules being disabled by 
default.


There's performance and filtering reasons to request this.

Don't see any good reason to trust "paid-for-certification" ?
/Hello ESPs & Co.! - don't start the blah/flame war, here - its useless/

AXB

Hotmail DCC listed ???

[Rejaine Monteiro]

This is the rule check for a 'normal' (non-spam) e-mail become from Hotmail:

pts rule name  description
 -- 
--

1.0 SUBJ_ALL_CAPS  Subject is all capitals
2.3 FORGED_HOTMAIL_RCVDForged hotmail.com 'Received:' header found
0.0 HTML_MESSAGE   BODY: HTML included in message
0.0 BAYES_50   BODY: Bayesian spam probability is 40 to 60%
   [score: 0.4743]
0.2 MIME_BASE64_NO_NAMERAW: base64 attachment does not have a file name
2.2 DCC_CHECK  Listed in DCC 
(http://rhyolite.com/anti-spam/dcc/)


This FORGED_HOTMAIL_RCVD and DCC_CHECK are false positive???

Re: Hotmail DCC listed ???

[--[ UxBoD ]--]

we would need to see the full headers.

Regards,

-- 
--[ UxBoD ]--
// PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84
// Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84
// Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED]

- "Rejaine Monteiro" <[EMAIL PROTECTED]> wrote:

> This is the rule check for a 'normal' (non-spam) e-mail become from
> Hotmail:
> 
>  pts rule name  description

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Email with no "hits" and "required"

[Massimiliano Marini]

System: Debian with Qmail + QmailScanner + SpamAssassins + ClamAV
Installation: qmailrocks.org

I've updated SA (original from qmailrocks.org 3.0.2) to 3.2.4 
my locale.cf is :

rewrite_header Subject *SPAM*
report_safe 0
required_score 4
required_hits 5
use_bayes 1

Question 1. The email still tagged like this:

Received: from  ... [snip] ... with qmail-scanner-1.25-st-qms
(clamdscan: 0.83/705. spamassassin: 3.0.2. perlscan: 1.25-st-qms.
^^
I've updated to 3.2.4
spamd -V :
SpamAssassin Server version 3.2.4
  running on Perl 5.8.4

Question 2. And some email have this tag

X-Spam-Status: No, hits=? required=?

Why?

Cheers
--
Massimiliano Marini - http://www.linuxtime.it/massimilianomarini/
"It's easier to invent the future than to predict it."  -- Alan Kay

Exploit or artifact?

[Jeff Eshom]

I run a cluster of servers (18 node) and over the last week the mail 
spools skyrocketed to process around 80,000+ emails per node. (There are 
hundreds of domains hosted.).


Spamassassin is set to DB for accounts to filter as well as storing 
whitelistfrom functions.


Tonight I found an account with 22,200 entries of text:
„ÿÿ2Œÿÿi¡Øü>21Ë;11‚?:?5ÿÿÿ�ÿÿÿ�ÿÿÿ�ÿÿÿ�ÿÿÿ�†ºáŠI¨ÿÿ?†Ðÿÿ˃ÿÿ´FÿÿˆÿÿêÎÿÿìÒÿüæÌÿÿðÛÿÿñßÿÿóâÿÿõçÿÿ÷íÿÿ

I was hoping for input on whether this was an inserted exploit to 
whitelist basically everything inbound to the domain (72,000 email 
accounts serviced for the domain in question). Or if it is just a rule 
that got corrupted and replicated.


Any info would be greatly appreciated.

Jeff

Too false negative

[Rocco Scappatura]

Hello,

Since some days the number of SMTP connections rejected  by my server is
increased (maybe doubled). It doesn't worry me. But there is a side
effect because even the number of false negative is increased.

For example, at the moment a spam message with this header is considered
clean by Amavisd-new-2.5.3+SpamaAssiassin-3.2.4:

Received: from  ([]) by ntfi10.hq.ignesti.it with
Microsoft SMTPSVC(6.0.3790.3959); Tue, 26 Feb 2008 08:09:48 +0100
Received: from localhost (localhost [127.0.0.1]) by  (Postfix)
with ESMTP id 9D8E775037D; Tue, 26 Feb 2008 08:09:48 +0100 (CET)
MIME-Version: 1.0
Content-Type: multipart/alternative;
 boundary="_=_NextPart_004_01C87846.932E4D28"
Received: from  ([127.0.0.1]) by localhost (av4.stt.vir
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id kgXmlG1zg5ao; Tue,
26 Feb 2008 08:09:46 +0100 (CET)
X-MimeOLE: Produced By Microsoft Exchange V6.5
Received: from [125.128.59.158] (unknown [125.128.59.158]) by 
(Postfix) with ESMTP id 9CF34750371; Tue, 26 Feb 2008 08:09:45 +0100
(CET)
Received: from [125.128.59.158] by dator.plaahn.com; Tue, 26 Feb 2008
16:38:13 +0900
Content-class: urn:content-classes:message
Subject: Comprate la forza per il pene, e salvate 85 %.
Date: Tue, 26 Feb 2008 08:38:13 +0100
Message-ID: <[EMAIL PROTECTED]>
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
Thread-Topic: Comprate la forza per il pene, e salvate 85 %.
Thread-Index: Aca6QAN67HSGN9YGB40WPNS14XFFVQ==
From: "Wesley Hutchinson" <[EMAIL PROTECTED]>
To: "Mosconi Raoul" 

I use a PRE-LISTING :

reject_rbl_client zen.spamhaus.org
reject_rbl_client list.dsbl.org

And I update SA ruleset regularly with rules_du_jour and sa-update.

How I have to do to make my system more reliable?

Thanks in advance,

rocsca

rule checking environment variable

[Miguel Angel]

Hello,
i am using spamassassin 3.2.3 with qmail and simscan, the problem i have it is that my authenticated smtp 
users have any mails rejected because a high score, i know i can use other ip not listed in mx of the domains 
to create a server with required authentication where i should not scan for spam (and make my users send with 
that) but i would like to search other solution, i would like to create a spamassassin rule with a -100 score 
that search for an environment variable but i have not found anything about that in the 
page|wiki|mailing-list, it is that possible to do? when qmail authenticate the users adds the variable 
SMTP_AUTH_USER so when spamc it is launched from simscan this variable should be there yet. I am using now 
whitelist_from [EMAIL PROTECTED] but it is not a good idea because many spammers change the "From" address domain 
to be the same of the rcpto.


Best Regards,
Miguel Angel.

Re: HABEAS_ACCREDITED_COI

[Anthony Peacock]

Hi Justin,

Justin Mason wrote:

Jason Haar writes:

Anthony Peacock wrote:
I have had a look around the http://www.habeas.com/ website and can't 
really see how to check the company in question, or make a complaint. 
There is a form for asking them to ask the company to remove these 
addresses from their mailing list, but I don't want to have to do 
that, I want to complain about the company.
This is a "me too". I had the same problem and came to exactly the same 
conclusion: there's no way I could find to notify them that one of their 
supposedly squeaky-clean customers is sending spam. I'm pushing their 
score down to 0 too.


No way you could find?  look harder guys ;)

at the top of www.habeas.com, 'Support', then 'Give Feedback on Habeas
Certified Senders' brings you to this page:

  http://www.habeas.com/en-US/Company_Feedback.php

That page says you can also just forward it to complaints /at/ habeas.com.


I did find that page, but got hung up on the bit that says, "Please ask 
the Sender to unsubscribe me from this email list. I understand Habeas 
cannot guarantee I will be unsubscribed."  Which, in my hurry to get to 
a meetig this morning, made me assume that this was just another 
mechanism to implement unsubscribing, and not a proper complaint procedure.


I will actually report the emails that I have got.  But I think I am 
going to disable all the HABEAS rules anyway.





'HABEAS_ACCREDITED_COI' is supposed to require confirmed opt-in.  They
should LART these senders with a big stick.


Agreed!


--
Anthony Peacock
CHIME, Royal Free & University College Medical School
WWW:http://www.chime.ucl.ac.uk/~rmhiajp/
Study at CHIME in 2008. http://www.chime.ucl.ac.uk/study-health-informatics/

Lots Of SPAM

[Tarak Ranjan]

Hi List,
i have posted my RAW email in http://pastebin.ca/918849 ,
i'm receiving 1000 to 4000 per day this king of mesages.
SA also skipping this kind of mails

/
TArak

Re: Hotmail DCC listed ???

[Michael Scheidell]

'hotmail' isn't listed in DCC.
DCC only scored on fuzy checksums on the body and portions of the headers.
Also, DCC is NOT a 100% 'spam score'.  DCC is a 'bulk email' score.

Even well run technical mailing list emails are SUPPOSED to score high with
DCC. (its 'bulk').  Read The DCC documents on whitelisting your bulk email
marketing lists.

However, interestingly enough, you have FORGED_HOTMAIL_RCVD. Did someone
send an email from  non hotmail source using a hotmail email address?

And, interestingly enough, SCREAMED AT YOU IN THE SUBJECT LINE?
Was it 'spam', or was it a 'bulk' email?


-- 
Michael Scheidell, CTO
>|SECNAP Network Security
Winner 2008 Network Products Guide Hot Companies
FreeBsd SpamAssassin Ports maintainer
Charter member, ICSA labs anti-spam consortium

_
This email has been scanned and certified safe by SpammerTrap(tm). 
For Information please see http://www.spammertrap.com
_

Re: Hotmail DCC listed ???

[Rejaine Monteiro]

Here is...


===
Received: from bay0-omc2-s37.bay0.hotmail.com (65.54.246.173)
  by myserver.mydomain with SMTP; 24 Feb 2008 20:34:41 -0300
Received-SPF: pass (myserver.mydomain: SPF record at spf-a.hotmail.com
designates 65.54.246.173 as permitted sender)
Received: from BAY136-W10 ([65.55.141.45]) by
bay0-omc2-s37.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
 Sun, 24 Feb 2008 15:34:37 -0800
Message-ID: <[EMAIL PROTECTED]>
Return-Path: [[EMAIL PROTECTED]
Content-Type: multipart/mixed;
    boundary="_09a8dc75-6268-44df-9651-699be18c9064_"
X-Originating-IP: [189.27.208.XXX]
From: [SENDER] <[EMAIL PROTECTED]>
To: <[user]@mydomain>
Subject: Test 123
Date: Sun, 24 Feb 2008 23:34:36 +
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 24 Feb 2008 23:34:37.0480 (UTC)
FILETIME=[D1B0E280:01C8773D]

--_09a8dc75-6268-44df-9651-699be18c9064_
Content-Type: multipart/alternative;
    boundary="_15d4da47-3ecf-4c36-a260-a489d560834e_"

--_15d4da47-3ecf-4c36-a260-a489d560834e_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

===

--[ UxBoD ]-- escreveu:

  we would need to see the full headers.

Regards,

  

Re: Hotmail DCC listed ???

[Rejaine Monteiro]

Sorry, 

The original subject was "TESTE_CAXIAS" (in portuguese language and all
capitals) 


Rejaine Monteiro escreveu:

  
  
Here is...
  
  
===
Received: from bay0-omc2-s37.bay0.hotmail.com (65.54.246.173)
  by myserver.mydomain with SMTP; 24 Feb 2008 20:34:41 -0300
Received-SPF: pass (myserver.mydomain: SPF record at spf-a.hotmail.com
designates 65.54.246.173 as permitted sender)
Received: from BAY136-W10 ([65.55.141.45]) by
bay0-omc2-s37.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
 Sun, 24 Feb 2008 15:34:37 -0800
Message-ID: <[EMAIL PROTECTED]>
Return-Path: [[EMAIL PROTECTED]
Content-Type: multipart/mixed;
    boundary="_09a8dc75-6268-44df-9651-699be18c9064_"
X-Originating-IP: [189.27.208.XXX]
From: [SENDER] <[EMAIL PROTECTED]>
To: <[user]@mydomain>
Subject: Test 123
Date: Sun, 24 Feb 2008 23:34:36 +
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 24 Feb 2008 23:34:37.0480 (UTC)
FILETIME=[D1B0E280:01C8773D]
  
--_09a8dc75-6268-44df-9651-699be18c9064_
Content-Type: multipart/alternative;
    boundary="_15d4da47-3ecf-4c36-a260-a489d560834e_"
  
--_15d4da47-3ecf-4c36-a260-a489d560834e_
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
  
  ===
  

Re: Lots Of SPAM

[Luis Hernán Otegui]

Hi, tarak

2008/2/26, Tarak Ranjan <[EMAIL PROTECTED]>:
> Hi List,
>  i have posted my RAW email in http://pastebin.ca/918849 ,
>  i'm receiving 1000 to 4000 per day this king of mesages.
>  SA also skipping this kind of mails
>
>  /

Well, I get a beautiful BAYES_99 on the mail you've shown. You should
tell us more about your setup. Which SA version, how is it running, do
you use sa-update? Also, you should report the message to
razor/pyzor/spamcop. That'll help too.
>
> TArak
>
>
>
Regards,

Luis
-- 
-
GNU-GPL: "May The Source Be With You...
Linux Registered User #448382.
When I grow up, I wanna be like Theo...
-

Re: HABEAS_ACCREDITED_COI

[Michael Scheidell]

> From: Anthony Peacock <[EMAIL PROTECTED]>
> Date: Tue, 26 Feb 2008 08:49:11 +
> To: SpamAssassin Users 
> Subject: HABEAS_ACCREDITED_COI
> 
> Hi,
> 
> I have just received a number of spam emails which got through the
> filtering system because they hit the HABEAS_ACCREDITED_COI rule, which
> give them -8.  They all came to role based addresses that are never used
> to outgoing emails and would certainly never be subscribed to opt in
> email lists.

For our corporate servers, we have turned this off (I personally get to much
spam sent to one of my unpublished email addresses from 'habeas' certified
senders).

For our hosted and email appliance clients, we leave the option 'off' for
just the same reason.

Habeas is ONLY use on marketing emails.  And, obviously not on just 'opt-in'
emails.  Also, obviously from their web site, their first suggestion is
'listwashing', rather then 'clientwashing' which is what they should do.
It happens when 100% of your customers are 'bulk/email marketing' companies.

When they change, we will modify it.

Set score to 0 in local.cf
score HABEAS_ACCREDITED_COI 0
score HABEAS_ACCREDITED_SOI 0
score HABEAS_CHECKED 0

At the very least, just account for a high bayes or razor score.
score HABEAS_ACCREDITED_COI -1.0
score HABEAS_ACCREDITED_SOI -0.5
score HABEAS_CHECKED 0


-- 
Michael Scheidell, CTO
>|SECNAP Network Security
Winner 2008 Network Products Guide Hot Companies
FreeBsd SpamAssassin Ports maintainer
Charter member, ICSA labs anti-spam consortium

_
This email has been scanned and certified safe by SpammerTrap(tm). 
For Information please see http://www.spammertrap.com
_

Re: Lots Of SPAM

[Tarak Ranjan]

On Tue, 2008-02-26 at 10:28 -0200, Luis Hernán Otegui wrote:
> Hi, tarak
> 
> 2008/2/26, Tarak Ranjan <[EMAIL PROTECTED]>:
> > Hi List,
> >  i have posted my RAW email in http://pastebin.ca/918849 ,
> >  i'm receiving 1000 to 4000 per day this king of mesages.
> >  SA also skipping this kind of mails
> >
> >  /
> 
> Well, I get a beautiful BAYES_99 on the mail you've shown. You should
> tell us more about your setup. Which SA version, how is it running, do
> you use sa-update? Also, you should report the message to
> razor/pyzor/spamcop. That'll help too.

QMAIL+SA[SpamAssassin version 3.1.4]+CLAMD

Re: google running an open relay?

[Michael Scheidell]

> From: Chris <[EMAIL PROTECTED]>
> Date: Mon, 25 Feb 2008 21:31:57 -0600
> To: 
> Subject: Re: google running an open relay?
> 
> I received the below from Google ref one of my spam reports, some content has
> been snipped:
> 
> Thank you for your note. This is an automated reply. If you're reporting a
> spam email with a Google return address, please be assured that it did not
> originate with Google. Google does not permit others to send unsolicited
> email through its mail servers.

[snip]
> If this was too much information, my apologies
> 
So, bottom line, either they are running an open relay (since we can 'be
assured that it did not originate with Google'), or they lie.

I guess with a company the size of Google, we will be forced to eat our spam
and love it.

Reminds me of he droidbot responses I got from yahoo with DKIM signed email
originating with yahoo telling me that the email didn't come from yahoo.

Too bad yahoo and google are too high and mighty to actually care about spam
complaints.

(anyone here been on the net long enough to remember the 'bimbo' usenet
spams? What was the name of that big famous company that refused to deal
with them? Sorry, I don't remember, they aren't around anymore)


-- 
Michael Scheidell, CTO
>|SECNAP Network Security
Winner 2008 Network Products Guide Hot Companies
FreeBsd SpamAssassin Ports maintainer
Charter member, ICSA labs anti-spam consortium


_
This email has been scanned and certified safe by SpammerTrap(tm). 
For Information please see http://www.spammertrap.com
_

Re: Hotmail DCC listed ???

[Rejaine Monteiro]

Michael Scheidell escreveu:

'However, interestingly enough, you have FORGED_HOTMAIL_RCVD. Did someone
send an email from  non hotmail source using a hotmail email address?
  


No, the message was send from hotmail site (www.hotmail.com)



And, interestingly enough, SCREAMED AT YOU IN THE SUBJECT LINE?
Was it 'spam', or was it a 'bulk' email?
  


Yes.. Subject is in capitals.. OK, I agree with  "1.0 SUBJ_ALL_CAPS" score..

But, I not agree with  the " 2.3 FORGED_HOTMAIL_RCVD" score, because the 
message come from Hotmail...

AWL problem. Assigning very low scores to spam.

[Stefan `Sec` Zehl]

Hi,

I'm having trouble with the AWL of Spamassassin.

The AWL is acting seriously wrong. I get some spam with my own address
in the "From:" header, and the AWL assigns ridiculous scores to it.

I have quite a few cronjobs running which send mail with the same
"From"-address on my local machine but that shouldn't extend to external
Mails (at least, I hope).

To aid in debugging I have completely removed the auto-whitelist file in
my ~/.spamassassin. A few minutes later, the database looks like this:

| ice:~/.spamassassin>date
| Tue Feb 26 10:27:45 CET 2008
| ice:~/.spamassassin>dbedit -p auto-whitelist|grep '[EMAIL PROTECTED]'
| [EMAIL PROTECTED]|ip=83.2391
| [EMAIL PROTECTED]|ip=none|totscore -99.133
| [EMAIL PROTECTED]|ip=83.239|totscore   9.14
| [EMAIL PROTECTED]|ip=none  2

which looks plausible to me.

But three hours later, the first spam gets through again. The Database
now look like this:

| ice:~/.spamassassin>date  
| Tue Feb 26 13:35:05 CET 2008
| ice:~/.spamassassin>dbedit -p auto-whitelist|grep '[EMAIL PROTECTED]'
| [EMAIL PROTECTED]|ip=117.475
| [EMAIL PROTECTED]|ip=117.47|totscore   -188.926

Why is this happening? Can This be fixed? Or do I have to turn AWL
completely off because it is broken by design?

CU,
Sec
-- 
A bureaucracy is like a computer program.  Usually, the question is
how to arrange it so that what you want is composed of operations that
the bureaucracy supports.  In addition, in any bureaucracy, there is
always *someone* whose job is to approve violations of the rules.

Re: Hotmail DCC listed ???

[Michael Scheidell]

Rejaine Monteiro wrote:
But, I not agree with  the " 2.3 FORGED_HOTMAIL_RCVD" score, because 
the message come from Hotmail...






to to bugzilla for spamassassin.  fill out a report for 
forged_hotmail_rcvd (posting to SA list won't help any)
If you are NOT running SA 3.2.4, upgrade.  if you are NOT running 
sa-update, run it.


hotmail changes their servers like boy george changes eye liner.  unless 
you keep up with them, you will get FP's

If you can't upgrade, set score to 0.


--
Michael Scheidell, CTO
Main: 561-999-5000, Office: 561-939-7259
> *| *SECNAP Network Security Corporation
Winner 2008 Technosium hot company award.
www.technosium.com/hotcompanies/ 


_
This email has been scanned and certified safe by SpammerTrap(tm). 
For Information please see http://www.spammertrap.com

_

Re: Lots Of SPAM

[Andrew Hearn]

Tarak Ranjan wrote:
> > Hi List,
> > i have posted my RAW email in http://pastebin.ca/918849 ,
> > i'm receiving 1000 to 4000 per day this king of mesages.
> > SA also skipping this kind of mails
> >
> > /
> > TArak
> >
> >

I get 8.2 without Bayes...

1.5 IXHASH2BODY: mail has been classified as spam @
LogIn&Solutions AG,
Germany
0.0 CLAMAV Clam AntiVirus detected something...
4.0 JM_SOUGHT_1JM_SOUGHT_1
0.2 RDNS_NONE  Delivered to trusted network by a host with
no rDNS
2.5 CLAMAV_SANESPAM found by ClamAV SaneSecurity signatures

(JM_SOUGHT was talked about earlier in the list)

Andrew.

Re: Lots Of SPAM

[--[ UxBoD ]--]

Hi,

I score it as follows :-

Content analysis details:   (23.1 points, 5.0 required)

 pts rule name  description
 -- --
 3.5 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
[score: 1.]
 5.0 BOTNET Relay might be a spambot or virusbot
[botnet0.8,ip=121.23.229.225,nordns]
 0.1 RDNS_NONE  Delivered to trusted network by a host with no rDNS
 4.0 JM_SOUGHT_1JM_SOUGHT_1
 2.5 KAM_PICShare Pictures and Chat SPAM
 4.0 JM_SOUGHT_3JM_SOUGHT_3
 4.0 JM_SOUGHT_2JM_SOUGHT_2

so take a look at http://wiki.apache.org/spamassassin/SoughtRules

Regards,

-- 
--[ UxBoD ]--
// PGP Key: "curl -s http://www.splatnix.net/uxbod.asc | gpg --import"
// Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84
// Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84
// Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED]

- "Tarak Ranjan" <[EMAIL PROTECTED]> wrote:

> Hi List,
> i have posted my RAW email in http://pastebin.ca/918849 ,
> i'm receiving 1000 to 4000 per day this king of mesages.
> SA also skipping this kind of mails
> 
> /
> TArak

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

Re: Exploit or artifact?

[Loren Wilton]

I got one of something like that tonight.  Clearly foreign language, and got 
tagged for around 20 points by my system.  Looks like a Russian spam run or 
the like starting.


   Loren

Re: Lots Of SPAM

[Loren Wilton]

Hi List,
i have posted my RAW email in http://pastebin.ca/918849 ,
i'm receiving 1000 to 4000 per day this king of mesages.
SA also skipping this kind of mails


"Nice girl" spam.  Look in the archives over the last week, those were 
discussed a lot and several rules posted for them.


   Loren

Re: Hotmail DCC listed ???

[Rejaine Monteiro]

Michael Scheidell escreveu:
hotmail changes their servers like boy george changes eye liner.  
unless you keep up with them, you will get FP's

If you can't upgrade, set score to 0.



I'm running spamassassin 3.1.7 and use sa-update, but upgrade is not 
possible for now ...
So, I will score FORGED_HOTMAIL_RCVD to 0...  Anyway, Hotmail have a SPF 
entry, will have to be enough.



Thank you !

Re: AWL problem. Assigning very low scores to spam.

[Matt Kettler]

Stefan `Sec` Zehl wrote:

Hi,

I'm having trouble with the AWL of Spamassassin.

The AWL is acting seriously wrong. I get some spam with my own address
in the "From:" header, and the AWL assigns ridiculous scores to it.
  
Any chance you have a broken trust path? (ie: does ALL_TRUSTED ever fire 
off on outside email?)

Re: Too false negative

[Matt Kettler]

Rocco Scappatura wrote:

Hello,

Since some days the number of SMTP connections rejected  by my server is
increased (maybe doubled). It doesn't worry me. But there is a side
effect because even the number of false negative is increased.

For example, at the moment a spam message with this header is considered
clean by Amavisd-new-2.5.3+SpamaAssiassin-3.2.4:

  



How I have to do to make my system more reliable?
  
The provided information isn't sufficient. Can you post the 
X-Spam-Status for one of the affected emails?


To try to figure out why SA is scoring one way or another, we generally 
need either a whole message,  not just headers, or at the very least the 
output that SpamAssassin generated for it.


Or is the point here that no SA analysis was run at all?



  

rule checking environment variable

[Miguel Angel]

Hello,
i am using spamassassin 3.2.3 with qmail and simscan, the problem i have it 
is that my authenticated smtp
users have any mails rejected because a high score, i know i can use other ip 
not listed in mx of the domains
to create a server with required authentication where i should not scan for 
spam (and make my users send with
that) but i would like to search other solution, i would like to create a 
spamassassin rule with a -100 score
that search for an environment variable but i have not found anything about 
that in the
page|wiki|mailing-list, it is that possible to do? when qmail authenticate the 
users adds the variable
SMTP_AUTH_USER so when spamc it is launched from simscan this variable should 
be there yet. I am using now
whitelist_from [EMAIL PROTECTED] but it is not a good idea because many spammers change 
the "From" address domain
to be the same of the rcpto.

Best Regards,
Miguel Angel.

Re: [OT] Yahoo Deferred

[Randy Ramsdell]

Matt wrote:

Is anyone else having issues sending mail to Yahoo?



Yes.  I have heard using Domainkeys or DKIM helps greatly?  Is that
true?  We have not implemented it yet but do use SPF records which are
much easier to implement with Exim or any MTA and do mostly the same
thing if you ask me.

Matt
  
We use Domainkeys and have used the newer DKIM and spf records  and it 
does not work with yahoo.

Re: AWL problem. Assigning very low scores to spam.

[Stefan `Sec` Zehl]

Hi,

On Tue, Feb 26, 2008 at 08:38 -0500, Matt Kettler wrote:
> Stefan `Sec` Zehl wrote:
> >The AWL is acting seriously wrong. I get some spam with my own address
> >in the "From:" header, and the AWL assigns ridiculous scores to it.
> Any chance you have a broken trust path? (ie: does ALL_TRUSTED ever fire 
> off on outside email?)

I'm not sure how I can check that...

Until a few days ago I had no "trusted_networks" in my config. After
googling around I set it "trusted_networks 194.77.85.2/27" in my
user_prefs. But that has not changed anything as far as I can tell

But you may be on to something. I found Mails in my spam-folder which
have ALL_TRUSTED set. Running such a message through
spamassassin -D -L -t produces this:

| [50155] dbg: conf: internal_networks not configured, using trusted_networks 
configuration for internal_networks; if you really want internal_networks to 
only contain the required 127/8 add 'internal_networks !0/0' to your 
configuration
| [50155] dbg: received-header: could not parse IPv4 address, assuming IPv6
| [50155] dbg: received-header: parsed as [ ip=195.4.92.23 rdns= 
helo=13.mx.freenet.de by=mout4.freenet.de ident= [EMAIL PROTECTED] intl=0 
id=1JTxOR-0002Vk-38 auth=esmtpa msa=0 ]
| [50155] dbg: received-header: relay 195.4.92.23 trusted? yes internal? yes 
msa? no
| [50155] dbg: received-header: parsed as [ ip=82.128.34.27 rdns= helo=User 
by=13.mx.freenet.de ident= envfrom= intl=0 id=1JTxOO-0005uv-2T auth=esmtpa 
msa=0 ]
| [50155] dbg: received-header: relay 82.128.34.27 trusted? yes internal? yes 
msa? no
| [50155] dbg: metadata: X-Spam-Relays-Trusted: [ ip=195.4.92.23 rdns= 
helo=13.mx.freenet.de by=mout4.freenet.de ident= [EMAIL PROTECTED] intl=1 
id=1JTxOR-0002Vk-38 auth=esmtpa msa=0 ] [ ip=82.128.34.27 rdns= helo=User 
by=13.mx.freenet.de ident= envfrom= intl=1 id=1JTxOO-0005uv-2T auth=esmtpa 
msa=0 ]
| [50155] dbg: metadata: X-Spam-Relays-Untrusted: 
| [50155] dbg: metadata: X-Spam-Relays-Internal: [ ip=195.4.92.23 rdns= 
helo=13.mx.freenet.de by=mout4.freenet.de ident= [EMAIL PROTECTED] intl=1 
id=1JTxOR-0002Vk-38 auth=esmtpa msa=0 ] [ ip=82.128.34.27 rdns= helo=User 
by=13.mx.freenet.de ident= envfrom= intl=1 id=1JTxOO-0005uv-2T auth=esmtpa 
msa=0 ]

This is clearly wrong. But Why?

The Received-Headers of this example Mail look like this:

| Received: from mout4.freenet.de (mout4.freenet.de [IPv6:2001:748:100:40::2:6])
| (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
| (No client certificate requested)
| by ice.42.org (Postfix) with ESMTPS id D189AB85A
| for <[EMAIL PROTECTED]>; Tue, 26 Feb 2008 11:51:08 +0100 (CET)
| Received: from [195.4.92.23] (helo=13.mx.freenet.de)
| by mout4.freenet.de with esmtpa (Exim 4.69)
| (envelope-from <[EMAIL PROTECTED]>)
| id 1JTxOR-0002Vk-38; Tue, 26 Feb 2008 11:50:39 +0100
| Received: from [82.128.34.27] (port=1797 helo=User)
| by 13.mx.freenet.de with esmtpa (ID [EMAIL PROTECTED]) (port 25) 
(Exim 4.69 #10)
| id 1JTxOO-0005uv-2T; Tue, 26 Feb 2008 11:50:38 +0100


CU,
Sec
-- 
Procmail looks to me like an explosion at an ASCII factory.

RE: Too false negative

[Rocco Scappatura]

> > Since some days the number of SMTP connections rejected  by 
> my server 
> > is increased (maybe doubled). It doesn't worry me. But 
> there is a side 
> > effect because even the number of false negative is increased.
> >
> > For example, at the moment a spam message with this header is 
> > considered clean by Amavisd-new-2.5.3+SpamaAssiassin-3.2.4:
> >
> >   
> 
> > How I have to do to make my system more reliable?
> >   
> The provided information isn't sufficient. Can you post the 
> X-Spam-Status for one of the affected emails?

Sorry It was not the case to send the entire email.. Here the
X-Spam-Status  after running the message against 'spamassassin -D':

X-Spam-Status: Yes, score=11.2 required=5.0
tests=AWL,BAYES_50,HTML_MESSAGE,
 
RATWARE_MS_HASH,RATWARE_OUTLOOK_NONAME,RDNS_NONE,URIBL_BLACK,URIBL_JP_SU
RBL,
URIBL_OB_SURBL,URIBL_SC_SURBL autolearn=unavailable
version=3.2.4

But it is really strange from amavisd-new log I see that the message is
passed as clean:

Feb 26 08:09:48 av4 amavis[18267]: (18267-12) Passed CLEAN,
[125.128.59.158] [125.128.59.158] <[EMAIL PROTECTED]> ->
>,>,>,
Message-ID: <[EMAIL PROTECTED]>, mail_id: kgXmlG1zg5ao,
Hits: 3.558, size: 3731, queued_as: 9D8E775037D, 2132 ms

rocsca

Re: rule checking environment variable

[Miguel Angel]

Rick Macdougall escribió:

Miguel Angel wrote:

Hello,
i am using spamassassin 3.2.3 with qmail and simscan, the problem 
i have it is that my authenticated smtp
users have any mails rejected because a high score, i know i can use 
other ip not listed in mx of the domains
to create a server with required authentication where i should not 
scan for spam (and make my users send with
that) but i would like to search other solution, i would like to 
create a spamassassin rule with a -100 score
that search for an environment variable but i have not found anything 
about that in the
page|wiki|mailing-list, it is that possible to do? when qmail 
authenticate the users adds the variable
SMTP_AUTH_USER so when spamc it is launched from simscan this variable 
should be there yet. I am using now
whitelist_from [EMAIL PROTECTED] but it is not a good idea because many 
spammers change the "From" address domain

to be the same of the rcpto.



Hi,

The latest versions of simscan will not run spamc on email where 
RELAYCLIENT is set.  This can happen via smtp auth or via tcp.smtp.


You might want to take this over to the simscan mailing list and post 
your ./configure options so we can help you figure out why it is 
scanning smtp auth users.


Regards,

Rick



Hi,

i have read about this in README file (i am using last simscan version) but the way to configure this it is 
changing the tcp.smtp, i am using this smtp to receive mail, it is the mx of many domains, if i desactivate 
simscan on it, i will lost spamassassin and clamav scanning on received mails too. In mailing list of John 
Simpson combined patch to qmail any users says me i should create other smtp server in other ip/port and force 
smtp auth on there, disable spamassassin on it and give it to my users to send mail from it but i would like 
to know if i could avoid that solution.


Regards,
Miguel Angel.

Re: rule checking environment variable

[Rick Macdougall]

Miguel Angel wrote:

Hello,
i am using spamassassin 3.2.3 with qmail and simscan, the problem i 
have it is that my authenticated smtp
users have any mails rejected because a high score, i know i can use 
other ip not listed in mx of the domains
to create a server with required authentication where i should not scan 
for spam (and make my users send with
that) but i would like to search other solution, i would like to create 
a spamassassin rule with a -100 score
that search for an environment variable but i have not found anything 
about that in the
page|wiki|mailing-list, it is that possible to do? when qmail 
authenticate the users adds the variable
SMTP_AUTH_USER so when spamc it is launched from simscan this variable 
should be there yet. I am using now
whitelist_from [EMAIL PROTECTED] but it is not a good idea because many 
spammers change the "From" address domain

to be the same of the rcpto.



Hi,

The latest versions of simscan will not run spamc on email where 
RELAYCLIENT is set.  This can happen via smtp auth or via tcp.smtp.


You might want to take this over to the simscan mailing list and post 
your ./configure options so we can help you figure out why it is 
scanning smtp auth users.


Regards,

Rick

Re: Email with no "hits" and "required"

[Massimiliano Marini]

Any hint about it?

It might depend on the older version of qmail-scanner (1.25-st-qms)?

--
Massimiliano Marini - http://www.linuxtime.it/massimilianomarini/
"It's easier to invent the future than to predict it."  -- Alan Kay

Re: Email with no "hits" and "required"

[Randy Ramsdell]

Massimiliano Marini wrote:

System: Debian with Qmail + QmailScanner + SpamAssassins + ClamAV
Installation: qmailrocks.org

I've updated SA (original from qmailrocks.org 3.0.2) to 3.2.4 
my locale.cf is :


rewrite_header Subject *SPAM*
report_safe 0
required_score 4
required_hits 5
use_bayes 1

Question 1. The email still tagged like this:

Received: from  ... [snip] ... with qmail-scanner-1.25-st-qms
(clamdscan: 0.83/705. spamassassin: 3.0.2. perlscan: 1.25-st-qms.
^^
I've updated to 3.2.4
spamd -V :
SpamAssassin Server version 3.2.4
  running on Perl 5.8.4

  
I can only guess that you still have two versions of spamassasin 
installed. I would search the disk for multiple copies of 
spamd/spamc/spamassassin and remove the older version. Also remember 
that spamassassin  probably runs as non-root or at least, it should.



Question 2. And some email have this tag

X-Spam-Status: No, hits=? required=?

Why?

Cheers
--
Massimiliano Marini - http://www.linuxtime.it/massimilianomarini/
"It's easier to invent the future than to predict it."  -- Alan Kay
  

Re: rule checking environment variable

[Rick Macdougall]

Miguel Angel wrote:


The latest versions of simscan will not run spamc on email where 
RELAYCLIENT is set.  This can happen via smtp auth or via tcp.smtp.


You might want to take this over to the simscan mailing list and post 
your ./configure options so we can help you figure out why it is 
scanning smtp auth users.


Regards,

Rick



Hi,

i have read about this in README file (i am using last simscan version) 
but the way to configure this it is changing the tcp.smtp, i am using 
this smtp to receive mail, it is the mx of many domains, if i 
desactivate simscan on it, i will lost spamassassin and clamav scanning 
on received mails too. In mailing list of John Simpson combined patch to 
qmail any users says me i should create other smtp server in other 
ip/port and force smtp auth on there, disable spamassassin on it and 
give it to my users to send mail from it but i would like to know if i 
could avoid that solution.




The configuration of simscan is all that is needed.  There are no 
changes to tcp.smtp.


All that will happen with a correctly configured simscan is that email 
from authenticated users will not be run through spamd, it will still be 
run through clamav if configured.


All other email will be scanned as usual.

Regards,

Rick

RE: Lots Of SPAM

[Randal, Phil]

I use these rules.  Score as you see fit.  Mind the linebreaks...

body HC_GIRL/\bnice girl that would like to chat.{1,16}Email
me at \
.{1,32}\.info.{1,120}\bpic(ture)?s\b/
describe HC_GIRLGirl with pics scam
scoreHC_GIRL5

body HC_GIRL2   /I am (?:using|writing from) my friend's email/
describe HC_GIRL2   Girl with pics scam
scoreHC_GIRL2   5

Cheers,

Phil

--
Phil Randal
Network Engineer
Herefordshire Council
Hereford, UK  

> -Original Message-
> From: Tarak Ranjan [mailto:[EMAIL PROTECTED] 
> Sent: 26 February 2008 12:15
> To: Spamassassin
> Subject: Lots Of SPAM
> 
> Hi List,
> i have posted my RAW email in http://pastebin.ca/918849 ,
> i'm receiving 1000 to 4000 per day this king of mesages.
> SA also skipping this kind of mails
> 
> /
> TArak
> 
> 
> 

Problem related to spamcop.

[Steven W. Orr]

All of sudden, my ability to report email to spamcop has been impacted. 
I'm not doing anything differently.


I read my mail using alpine and I pipe my spam through the following 
script:


exec tee >(mail [EMAIL PROTECTED]) | sa-learn --spam

As of this morning I get the reports sent back to me saying. Is spamcop 
dead or am I doing somthing wrong?


Date: Tue, 26 Feb 2008 14:01:19 GMT
From: SpamCop AutoResponder <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: [SpamCop] Errors encountered

SpamCop encountered errors while saving spam for processing:
SpamCop could not find your spam message in this email:

Return-Path: <[EMAIL PROTECTED]>
Received: from sc-smtp2-bulkmx.soma.ironport.com
(sc-smtp2-bulkmx.soma.ironport.com [204.15.82.125])
by sc-app5.soma.ironport.com (Postfix) with ESMTP id 15613D471D6
for <[EMAIL PROTECTED]>; Tue, 26 Feb 2008
05:58:33 -0800 (PST)
X-Fozzie-Original-To: [EMAIL PROTECTED]
Received: from saturn.syslang.net ([207.172.210.41])
  by vmx2.spamcop.net with ESMTP; 26 Feb 2008 05:58:32 -0800
Received: from saturn.syslang.net (localhost.localdomain [127.0.0.1])
by saturn.syslang.net (8.13.8/8.13.8) with ESMTP id m1QDwUFF017208
for <[EMAIL PROTECTED]>; Tue, 26 Feb 2008
08:58:31 -0500
Received: (from [EMAIL PROTECTED])
by saturn.syslang.net (8.13.8/8.13.7/Submit) id m1QDwU7f017204
for [EMAIL PROTECTED]; Tue, 26 Feb 2008
08:58:30 -0500
Date: Tue, 26 Feb 2008 08:58:30 -0500
From: [EMAIL PROTECTED]
Message-Id: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Return-Path: <[EMAIL PROTECTED]>
Received: from rfkmemorial.org (acgg9.neoplus.adsl.tpnet.pl [83.9.234.9])
by saturn.syslang.net (8.13.8/8.13.8) with SMTP id m1Q6vI3R000999
for <[EMAIL PROTECTED]>; Tue, 26 Feb 2008 01:57:20 -0500
Received: from rfkmemorial.org.s5a1.psmtp.com
by 83.9.234.9 (8.12.11/8.12.11) with ESMTP id Hp9aqaRMN2Lg
for <[EMAIL PROTECTED]>; Tue, 26 Feb 2008 08:49:17 +0100
Received: from passamon ([213.150.210.8])
by rfkmemorial.org.s5a1.psmtp.com with ESMTP (Exim 4.05) id
WgMmFU3SsDQp
for <[EMAIL PROTECTED]>; Tue, 26 Feb 2008 08:49:17 +0100
From: "Pearlie Warner" <[EMAIL PROTECTED]>
Reply-To: "Pearlie Warner" <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
Date: Tue, 26 Feb 2008 08:49:17 +0100
To: <[EMAIL PROTECTED]>
Subject: Pornstar calli cox anal fucked inobvious
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, hits=4.8 required=5.0 tests=BAYES_50,RCVD_IN_PBL,
RCVD_IN_SORBS_DUL,RCVD_IN_XBL autolearn=no version=3.2.4
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on 
saturn.syslang.net




--
Time flies like the wind. Fruit flies like a banana. Stranger things have  .0.
happened but none stranger than this. Does your driver's license say Organ ..0
Donor?Black holes are where God divided by zero. Listen to me! We are all- 000
individuals! What if this weren't a hypothetical question?
steveo at syslang.net

Re: HABEAS_ACCREDITED_COI

[Per Jessen]

Jason Haar wrote:

> Anthony Peacock wrote:
>>
>> I have had a look around the http://www.habeas.com/ website and can't
>> really see how to check the company in question, or make a complaint.
>> There is a form for asking them to ask the company to remove these
>> addresses from their mailing list, but I don't want to have to do
>> that, I want to complain about the company.
> This is a "me too". I had the same problem and came to exactly the
> same conclusion: there's no way I could find to notify them that one
> of their supposedly squeaky-clean customers is sending spam. I'm
> pushing their score down to 0 too.
> 

I've had HABEAS_ACCREDITED_SOI score 0.5 since mid-2007  they're not
really credible IMHO. 


/Per Jessen, Zürich

Re: Email with no "hits" and "required"

[Massimiliano Marini]

Hi Randy,

> I can only guess that you still have two versions of spamassasin 
> installed. I would search the disk for multiple copies of 
> spamd/spamc/spamassassin and remove the older version. Also remember 
> that spamassassin  probably runs as non-root or at least, it should.

I've searched the disk, but only one version of SA exists,
and /usr/bin/spamd runs as root:

-r-xr-xr-x   1 root root  27059 Feb 20 15:59 spamassassin
-r-xr-xr-x   1 root root 115226 Feb 20 15:59 spamc
-r-xr-xr-x   1 root root 102285 Feb 20 15:59 spamd

Any other idea?
--
Massimiliano Marini - http://www.linuxtime.it/massimilianomarini/
"It's easier to invent the future than to predict it."  -- Alan Kay

Re: HABEAS_ACCREDITED_COI

[Anthony Peacock]

Hi,

Following up to myself...

Anthony Peacock wrote:

Hi Justin,

Justin Mason wrote:

Jason Haar writes:

Anthony Peacock wrote:
I have had a look around the http://www.habeas.com/ website and 
can't really see how to check the company in question, or make a 
complaint. There is a form for asking them to ask the company to 
remove these addresses from their mailing list, but I don't want to 
have to do that, I want to complain about the company.
This is a "me too". I had the same problem and came to exactly the 
same conclusion: there's no way I could find to notify them that one 
of their supposedly squeaky-clean customers is sending spam. I'm 
pushing their score down to 0 too.


No way you could find?  look harder guys ;)

at the top of www.habeas.com, 'Support', then 'Give Feedback on Habeas
Certified Senders' brings you to this page:

  http://www.habeas.com/en-US/Company_Feedback.php

That page says you can also just forward it to complaints /at/ 
habeas.com.


I did find that page, but got hung up on the bit that says, "Please ask 
the Sender to unsubscribe me from this email list. I understand Habeas 
cannot guarantee I will be unsubscribed."  Which, in my hurry to get to 
a meetig this morning, made me assume that this was just another 
mechanism to implement unsubscribing, and not a proper complaint procedure.


I will actually report the emails that I have got.  But I think I am 
going to disable all the HABEAS rules anyway.


Looking into this more, I have disabled the HABEAS checks altogether 
(setting score to 0).  I did consider the suggestions about lowering the 
impact by setting the score to -0.5 or similar, but actually I don't 
like the concept of this service, and I would rather save the bandwidth 
and not do the checks altogether.


Thanks to everyone for their comments.

--
Anthony Peacock
CHIME, Royal Free & University College Medical School
WWW:http://www.chime.ucl.ac.uk/~rmhiajp/
Study at CHIME in 2008. http://www.chime.ucl.ac.uk/study-health-informatics/

SA trusts all hosts as soon as IPv6 is enabled? (was Re: AWL problem. Assigning very low scores to spam.)

[Stefan `Sec` Zehl]

Hi,

On Tue, Feb 26, 2008 at 14:56 +0100, Stefan `Sec` Zehl wrote:
>
[... on producing ALL_TRUSTED with these header ...]
> 
> | Received: from mout4.freenet.de (mout4.freenet.de 
> [IPv6:2001:748:100:40::2:6])
> | (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
> | (No client certificate requested)
> | by ice.42.org (Postfix) with ESMTPS id D189AB85A
> | for <[EMAIL PROTECTED]>; Tue, 26 Feb 2008 11:51:08 +0100 (CET)
> | Received: from [195.4.92.23] (helo=13.mx.freenet.de)
> | by mout4.freenet.de with esmtpa (Exim 4.69)
> | (envelope-from <[EMAIL PROTECTED]>)
> | id 1JTxOR-0002Vk-38; Tue, 26 Feb 2008 11:50:39 +0100
> | Received: from [82.128.34.27] (port=1797 helo=User)
> | by 13.mx.freenet.de with esmtpa (ID [EMAIL PROTECTED]) (port 25) 
> (Exim 4.69 #10)
> | id 1JTxOO-0005uv-2T; Tue, 26 Feb 2008 11:50:38 +0100

I did some more Tests with these headers.

They are unconditionally marked as trusted. The problem is the following
line from "spamassasin -D -L -t":

| [52994] dbg: received-header: could not parse IPv4 address, assuming IPv6

As soon as this line appears, sa trusts everything. No matter what you
set in trusted_networks or anywhere else. It doesn't even parse that
header at all (notice that there are only two "parsed as" lines):

| [53147] dbg: received-header: parsed as [ ip=195.4.92.23 rdns= 
helo=13.mx.freenet.de by=mout4.freenet.de ident= [EMAIL PROTECTED] intl=0 
id=1JTxOR-0002Vk-38 auth=esmtpa msa=0 ]
| [53147] dbg: received-header: relay 195.4.92.23 trusted? yes internal? yes 
msa? no
| [53147] dbg: received-header: parsed as [ ip=82.128.34.27 rdns= helo=User 
by=13.mx.freenet.de ident= envfrom= intl=0 id=1JTxOO-0005uv-2T auth=esmtpa 
msa=0 ]
| [53147] dbg: received-header: relay 82.128.34.27 trusted? yes internal? yes 
msa? no

Replacing the "[IPv6:2001:748:100:40::2:6]" with "[1.2.3.4]", everything
is back to normal:

| [53033] dbg: received-header: parsed as [ ip=1.2.3.4 rdns=mout4.freenet.de 
helo=mout4.freenet.de by=ice.42.org ident= envfrom= intl=0 id=D189AB85A auth= 
msa=0 ]
| [53033] dbg: received-header: relay 1.2.3.4 trusted? no internal? no msa? no
| [53033] dbg: received-header: parsed as [ ip=195.4.92.23 rdns= 
helo=13.mx.freenet.de by=mout4.freenet.de ident= [EMAIL PROTECTED] intl=0 
id=1JTxOR-0002Vk-38 auth=esmtpa msa=0 ] [53033] dbg: received-header: relay 
195.4.92.23 trusted? no internal? no msa? no
| [53033] dbg: received-header: parsed as [ ip=82.128.34.27 rdns= helo=User 
by=13.mx.freenet.de ident= envfrom= intl=0 id=1JTxOO-0005uv-2T auth=esmtpa 
msa=0 ]
| [53033] dbg: received-header: relay 82.128.34.27 trusted? no internal? no 
msa? no


So it appears that spamassassins v6 support is broken. -- Is there some config 
option i missed, or is the only solution to turn off IPv6 on my mailserver?

CU,
Sec
-- 
  "The General who in a hundred battles is always victorious is not as
  great as the one who achieves his objectives without fighting."
 -- Sun Tzu

Re: Problem related to spamcop.

[Jari Fredriksson]

> All of sudden, my ability to report email to spamcop has
> been impacted. I'm not doing anything differently.
> 
> I read my mail using alpine and I pipe my spam through
> the following script:
> 
> exec tee >(mail [EMAIL PROTECTED]) |
> sa-learn --spam 
> 
> As of this morning I get the reports sent back to me
> saying. Is spamcop dead or am I doing somthing wrong?
> 
> Date: Tue, 26 Feb 2008 14:01:19 GMT
> From: SpamCop AutoResponder <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: [SpamCop] Errors encountered
> 
> SpamCop encountered errors while saving spam for
> processing: 
> SpamCop could not find your spam message in this email:
> 

SpamCop needs the spam sent to them as an attachment. Your sample had no 
attachment, but the spam itself as the sent mail.

So it looks to me.

Re: SA trusts all hosts as soon as IPv6 is enabled? (was Re: AWL problem. Assigning very low scores to spam.)

[Stefan `Sec` Zehl]

Hi,

Ok, I debugged this a bit more.

Problem is, these headers were marked as ALL_TRUSTED:

> > | Received: from mout4.freenet.de (mout4.freenet.de 
> > [IPv6:2001:748:100:40::2:6])
> > | (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
> > | (No client certificate requested)
> > | by ice.42.org (Postfix) with ESMTPS id D189AB85A
> > | for <[EMAIL PROTECTED]>; Tue, 26 Feb 2008 11:51:08 +0100 (CET)
> > | Received: from [195.4.92.23] (helo=13.mx.freenet.de)
> > | by mout4.freenet.de with esmtpa (Exim 4.69)
> > | (envelope-from <[EMAIL PROTECTED]>)
> > | id 1JTxOR-0002Vk-38; Tue, 26 Feb 2008 11:50:39 +0100
> > | Received: from [82.128.34.27] (port=1797 helo=User)
> > | by 13.mx.freenet.de with esmtpa (ID [EMAIL PROTECTED]) (port 25) 
> > (Exim 4.69 #10)
> > | id 1JTxOO-0005uv-2T; Tue, 26 Feb 2008 11:50:38 +0100

The detailed problem is, the first header is completely ignored because
of its IPv6 content.

The second line contains "with esmtpa" which makes SpamAssassin
unconditionally trust this header. Case in Point:

SpamAssassin/Message/Metadata/Received.pm around line 192:
| # trusted_networks matches?
| if (!$relay->{auth} && !$trusted->contains_ip($relay->{ip})) {
| $in_trusted = 0;

It is completely irrelevant if the IP is in trusted_networks or not. If
the Received line contains "auth" which at this point contains "esmtpa"
it considers the Header good and trusted.

I fixed that particular problem for now by forcing "auth" to be empty
at the end of the "parse_received_line" function, but as $auth was
included for some reason, somebody should look closer at how to fix this
completely.

CU,
Sec
-- 
The problem with troubleshooting is that trouble shoots back.

Re: SA trusts all hosts as soon as IPv6 is enabled? (was Re: AWL problem. Assigning very low scores to spam.)

[Justin Mason]

Stefan `Sec` Zehl writes:
> Hi,
> 
> Ok, I debugged this a bit more.
> 
> Problem is, these headers were marked as ALL_TRUSTED:
> 
> > > | Received: from mout4.freenet.de (mout4.freenet.de 
> > > [IPv6:2001:748:100:40::2:6])
> > > | (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
> > > | (No client certificate requested)
> > > | by ice.42.org (Postfix) with ESMTPS id D189AB85A
> > > | for <[EMAIL PROTECTED]>; Tue, 26 Feb 2008 11:51:08 +0100 (CET)
> > > | Received: from [195.4.92.23] (helo=13.mx.freenet.de)
> > > | by mout4.freenet.de with esmtpa (Exim 4.69)
> > > | (envelope-from <[EMAIL PROTECTED]>)
> > > | id 1JTxOR-0002Vk-38; Tue, 26 Feb 2008 11:50:39 +0100
> > > | Received: from [82.128.34.27] (port=1797 helo=User)
> > > | by 13.mx.freenet.de with esmtpa (ID [EMAIL PROTECTED]) (port 
> > > 25) (Exim 4.69 #10)
> > > | id 1JTxOO-0005uv-2T; Tue, 26 Feb 2008 11:50:38 +0100
> 
> The detailed problem is, the first header is completely ignored because
> of its IPv6 content.
> 
> The second line contains "with esmtpa" which makes SpamAssassin
> unconditionally trust this header. Case in Point:
> 
> SpamAssassin/Message/Metadata/Received.pm around line 192:
> | # trusted_networks matches?
> | if (!$relay->{auth} && !$trusted->contains_ip($relay->{ip})) {
> | $in_trusted = 0;
> 
> It is completely irrelevant if the IP is in trusted_networks or not. If
> the Received line contains "auth" which at this point contains "esmtpa"
> it considers the Header good and trusted.
> 
> I fixed that particular problem for now by forcing "auth" to be empty
> at the end of the "parse_received_line" function, but as $auth was
> included for some reason, somebody should look closer at how to fix this
> completely.

The fix would be to implement support for IPv6 trust paths:

http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4503
http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4964

--j.

Re: SA trusts all hosts as soon as IPv6 is enabled? (was Re: AWL problem. Assigning very low scores to spam.)

[Stefan `Sec` Zehl]

Hi,

On Tue, Feb 26, 2008 at 15:56 +, Justin Mason wrote:
> The fix would be to implement support for IPv6 trust paths:
> 
> http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4503
> http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4964

Ok, so you're telling me that not only is this bug known, but it went
unfixed fot over a year?

I must admit that I don't know much of SAs internals or how hard it is
to fix this "the correct way".

However a bug like that should have been fixed -- or at least worked
around by now.

A simple workaround would be to hardcode a fake IP (like "0.0.0.0") for
IPv6.

But the bigger problem remains, and it is not the IPv6 stuff. The main
problem here is, that if the first Received header is (for what reason
ever) unparsable, all the other (spammer-controlled) headers are
trusted if they have an "auth" part.  I would say the default here is
definitely the wrong way round.

But then, I'm only a stupid user and who cares about those %)

CU,
Sec
-- 
Not a perfect solution, but far cheaper than one.

RE: URIBL

[Jeff Chan]

Quoting Rocco Scappatura <[EMAIL PROTECTED]>:


Maybe, now is the case to set up a copy of zone locally on my server.. I
ve about 1300K messages rejected per day!!


Yes, you should not query 1.3 million messages per day on the public  
nameservers.  That would be considered abusive.


Jeff C.

Re: SA trusts all hosts as soon as IPv6 is enabled? (was Re: AWL problem. Assigning very low scores to spam.)

[Justin Mason]

Stefan `Sec` Zehl writes:
> Hi,
> 
> On Tue, Feb 26, 2008 at 15:56 +, Justin Mason wrote:
> > The fix would be to implement support for IPv6 trust paths:
> > 
> > http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4503
> > http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4964
> 
> Ok, so you're telling me that not only is this bug known, but it went
> unfixed fot over a year?

Unfortunately, nobody who's bothered by it, has bothered fixing it
and sending us a patch.  I'll omit any comments about IPv6 users ;)

> I must admit that I don't know much of SAs internals or how hard it is
> to fix this "the correct way".
> 
> However a bug like that should have been fixed -- or at least worked
> around by now.

yes, we know that ;)  If we had infinite time, it'd be fixed by now.

> A simple workaround would be to hardcode a fake IP (like "0.0.0.0") for
> IPv6.
> 
> But the bigger problem remains, and it is not the IPv6 stuff. The main
> problem here is, that if the first Received header is (for what reason
> ever) unparsable, all the other (spammer-controlled) headers are
> trusted if they have an "auth" part.  I would say the default here is
> definitely the wrong way round.

it's a bug.  It needs fixing... the right way is to parse IPv6 headers.
So far it hasn't been a significant problem, since I think yours is
the first example I've seen of spam traversing IPv6 networks to arrive
at a trusted network.

> But then, I'm only a stupid user and who cares about those %)

Hardly representative of our attitude.

--j.

> CU,
>  Sec
> -- 
> Not a perfect solution, but far cheaper than one.

RE: Email with no "hits" and "required"

[Robert - elists]

> 
> System: Debian with Qmail + QmailScanner + SpamAssassins + ClamAV
> Installation: qmailrocks.org
> 
> I've updated SA (original from qmailrocks.org 3.0.2) to 3.2.4
> my locale.cf is :
> 
> rewrite_header Subject *SPAM*
> report_safe 0
> required_score 4
> required_hits 5
> use_bayes 1
> 
> Question 1. The email still tagged like this:
> 
> Received: from  ... [snip] ... with qmail-scanner-1.25-st-qms
> (clamdscan: 0.83/705. spamassassin: 3.0.2. perlscan: 1.25-st-qms.
> ^^
> I've updated to 3.2.4
> spamd -V :
> SpamAssassin Server version 3.2.4
>   running on Perl 5.8.4
> 
> Question 2. And some email have this tag
> 
> X-Spam-Status: No, hits=? required=?
> 
> Why?
> 
> Cheers
> --
> Massimiliano Marini - http://www.linuxtime.it/massimilianomarini/

Massimiliano,

The correct answer is this on our systems

setuidgid clamav /var/qmail/bin/qmail-scanner-queue.pl -z
setuidgid clamav /var/qmail/bin/qmail-scanner-queue.pl -g

be careful though, about the user you use... we use clamav user

when you are done and if I recall correctly, you should stop and restart all
necessary services to pull in the new config info so to speak.

The no hits part, I dunno. Could be to large message or whatever else... you
can debug that in the logs

 - rh

Re: SA trusts all hosts as soon as IPv6 is enabled? (was Re: AWL problem. Assigning very low scores to spam.)

[Stefan `Sec` Zehl]

Hi,

On Tue, Feb 26, 2008 at 16:26 +, Justin Mason wrote:
> Stefan `Sec` Zehl writes:
> > Ok, so you're telling me that not only is this bug known, but it went
> > unfixed fot over a year?
> 
> Unfortunately, nobody who's bothered by it, has bothered fixing it
> and sending us a patch.  I'll omit any comments about IPv6 users ;)
[...]
> yes, we know that ;)  If we had infinite time, it'd be fixed by now.

Ok, here is a patch which fixes this specific (IPv6) problem until
someone has time to make SA completely v6 aware:

--- Mail/SpamAssassin/Message/Metadata/Received.pm.orig 2008-02-26 
17:28:28.0 +0100
+++ Mail/SpamAssassin/Message/Metadata/Received.pm  2008-02-26 
17:28:52.0 +0100
@@ -1208,7 +1208,8 @@
   $ip = Mail::SpamAssassin::Util::extract_ipv4_addr_from_string ($ip);
   if (!$ip) {
 dbg("received-header: could not parse IPv4 address, assuming IPv6");
-return 0;   # ignore IPv6 handovers
+#return 0;   # ignore IPv6 handovers
+   $ip="0.0.0.0";
   }
 
   # DISABLED: if we cut out localhost-to-localhost SMTP handovers,

> > But the bigger problem remains, and it is not the IPv6 stuff. The main
> > problem here is, that if the first Received header is (for what reason
> > ever) unparsable, all the other (spammer-controlled) headers are
> > trusted if they have an "auth" part.  I would say the default here is
> > definitely the wrong way round.
> 
> it's a bug.  It needs fixing... the right way is to parse IPv6 headers.
> So far it hasn't been a significant problem, since I think yours is
> the first example I've seen of spam traversing IPv6 networks to arrive
> at a trusted network.

My point is. ANY reason to misparse a received-header leads to automatic
trusting of untrusted headers.

Do you trust SA to never misparse a Received-line? I have seen the
inside of that function and the tons of regexps there. I would not trust
it to be completely bugfree.

I may well be the first person to report a spam, but I am quite sure
there are more people out there with Spam mistakenly getting the
ALL_TRUSTED label. After all, who checks the headers of their
Spam-Mailbox regularely?

> > But then, I'm only a stupid user and who cares about those %)
> Hardly representative of our attitude.

I'll take your word for it. I was miffed realizing that after half a day
of debugging I found a year old bug -- which is still unfixed.

CU,
Sec
-- 
Hofstadter's Law: Everything takes longer than you expect,
  even taking into account Hofstadter's Law.

Re: Email with no "hits" and "required"

[Jason Haar]

Randy Ramsdell wrote:

Question 2. And some email have this tag

X-Spam-Status: No, hits=? required=?

Why?

This is and always has been documented behaviour in Qmail-Scanner. 
Please read the FAQ


--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

any rules for this?

[Mike Fahey]

Does anyone have any rules for these?

C A 5N A D/1AN P 7 5H A RM A 9CY

V / 7A G R \A - $1.45
C 4/ A L / S - $2.26
S0 O M A - $0.67
L E7 V / T R A - $3.63
F E _MALE V 6/ A G \R 4A
U 8 L T 7R A M - $1.36
165 Items on S /AL \E Today.

Grab yours while supplies last

Re: HABEAS_ACCREDITED_COI

[Igor Chudov]

If I recall correctly...

This Habeas is some sort of a braindead business idea to insert an
unauthenticated header in bodies of "legitimate" emails coming from
their customers, to assure spam filters that the email is legitimate. 

Kind of like SPF, but implemented by third graders with multiple
learning disabilities.

Of course, since the header is unauthenticated, some spammers now
insert it in their spams to look legitimate (or maybe Habeas spams
too, I do not know).

In any case, I have everything that mentions 
http://www.h a b e a s.com, go into my garbage folder, that's where I
saw your message when I was reviewing it.

i

On Tue, Feb 26, 2008 at 10:22:35PM +1300, Jason Haar wrote:
> Anthony Peacock wrote:
>>
>> I have had a look around the http://www.habeas.com/ website and can't 
>> really see how to check the company in question, or make a complaint. 
>> There is a form for asking them to ask the company to remove these 
>> addresses from their mailing list, but I don't want to have to do that, I 
>> want to complain about the company.
> This is a "me too". I had the same problem and came to exactly the same 
> conclusion: there's no way I could find to notify them that one of their 
> supposedly squeaky-clean customers is sending spam. I'm pushing their score 
> down to 0 too.
>
> Grr
>
>
> Jason Haar
> Information Security Manager, Trimble Navigation Ltd.
> Phone: +64 3 9635 377 Fax: +64 3 9635 417
> PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: HABEAS_ACCREDITED_COI

[Igor Chudov]

I strongly recommend to block Habeas entirely.

They are a yet another garbage email company.

i

On Tue, Feb 26, 2008 at 03:10:54PM +, Anthony Peacock wrote:
> Hi,
>
> Following up to myself...
>
> Anthony Peacock wrote:
>> Hi Justin,
>>
>> Justin Mason wrote:
>>> Jason Haar writes:
 Anthony Peacock wrote:
> I have had a look around the http://www.habeas.com/ website and can't 
> really see how to check the company in question, or make a complaint. 
> There is a form for asking them to ask the company to remove these 
> addresses from their mailing list, but I don't want to have to do that, 
> I want to complain about the company.
 This is a "me too". I had the same problem and came to exactly the same 
 conclusion: there's no way I could find to notify them that one of their 
 supposedly squeaky-clean customers is sending spam. I'm pushing their 
 score down to 0 too.
>>>
>>> No way you could find?  look harder guys ;)
>>>
>>> at the top of www.habeas.com, 'Support', then 'Give Feedback on Habeas
>>> Certified Senders' brings you to this page:
>>>
>>>   http://www.habeas.com/en-US/Company_Feedback.php
>>>
>>> That page says you can also just forward it to complaints /at/ 
>>> habeas.com.
>>
>> I did find that page, but got hung up on the bit that says, "Please ask 
>> the Sender to unsubscribe me from this email list. I understand Habeas 
>> cannot guarantee I will be unsubscribed."  Which, in my hurry to get to a 
>> meetig this morning, made me assume that this was just another mechanism 
>> to implement unsubscribing, and not a proper complaint procedure.
>>
>> I will actually report the emails that I have got.  But I think I am going 
>> to disable all the HABEAS rules anyway.
>
> Looking into this more, I have disabled the HABEAS checks altogether 
> (setting score to 0).  I did consider the suggestions about lowering the 
> impact by setting the score to -0.5 or similar, but actually I don't like 
> the concept of this service, and I would rather save the bandwidth and not 
> do the checks altogether.
>
> Thanks to everyone for their comments.
>

Re: rule checking environment variable

[Matus UHLAR - fantomas]

On 26.02.08 14:51, Miguel Angel wrote:
> i am using spamassassin 3.2.3 with qmail and simscan, the problem i 
> have it is that my authenticated smtp
> users have any mails rejected because a high score,

do they get high score because of the authentication or are they catching
something like DOX_*_TO_MX? 
Proper authentication data in Received: headers should make SA know that the
client was trusted and not to catch that rule...


-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Remember half the people you know are below average. 

Re: HABEAS_ACCREDITED_COI

[John Hardin]

On Tue, 26 Feb 2008, Igor Chudov wrote:


If I recall correctly...

This Habeas is some sort of a braindead business idea to insert an
unauthenticated header in bodies of "legitimate" emails coming from
their customers, to assure spam filters that the email is legitimate.

Kind of like SPF, but implemented by third graders with multiple
learning disabilities.


The idea is that the Habeas header text is copyrighted, and spammers who 
forge it can be sued for copyright infringement rather than more 
traditional spam-related charges than trespass, false advertising, etc.


Does anybody know whether Habeas has found this to be a successful 
strategy?


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Microsoft is not a standards body.
---
 16 days until Albert Einstein's 129th Birthday

Re: HABEAS_ACCREDITED_COI

[Theo Van Dinter]

On Tue, Feb 26, 2008 at 11:18:32AM -0600, Igor Chudov wrote:
> This Habeas is some sort of a braindead business idea to insert an
> unauthenticated header in bodies of "legitimate" emails coming from
> their customers, to assure spam filters that the email is legitimate. 

The original Habeas SWE was a Haiku that customers would put into their mail
headers, and the theory went that if someone put the headers in spam, they
could be sued through normal copyright law which is easier to deal with than
just spamming which isn't necessarily illegal in a lot of places.

While an interesting try, yes, it did ultimately fail due to the difficulties
of tracking down people and then carrying out lawsuits globally, along with
the amount of time needed to get the infringement to stop.

Habeas now uses a DNS whitelist, like most other mail accredidation services.

Whether or not people think accredidation services are useful is another
discussion, and I'm sure people's opinions vary wildly on the topic.

-- 
Randomly Selected Tagline:
Bender: "You know the secret of traditional robot cooking? Start with a good
 high-quality oil, then eat it." 


pgpElVC2JTGdY.pgp
Description: PGP signature

Spamd and SpamAssassin scoring very different scores

[Russell Jones]

For some reason spamd is not scoring email nearly as high as 
spamassassin scores if you run the message through manually. I do not 
understand this, and it is causing spam to get through that should have 
been blocked. As you can see when running spamassassin manually it 
scored it a 7.5, but spamd scored it only a 4.5 when it first came in.


Below is the message spamassassin shows when I run it through manually, 
and you can see the original email as well as the original score spamd 
gave it towards the bottom of the message.


What do I need to do to get spamd to give the same score spamassassin is 
giving? It looks to me like the rcvd_in_xbl rule did not fire for spamd, 
but did for spamassassin. What accounts for that?


Received: from localhost by server1.eggycrew.com
   with SpamAssassin (version 3.2.0);
   Tue, 26 Feb 2008 11:43:09 -0600
From: "Ahmad Mcfadden" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Is generic medication just as effective as the brand named 
products?

Date: Tue, 26 Feb 2008 19:43:00 +0800
Message-Id: <[EMAIL PROTECTED]>
X-Spam-Flag: YES
X-Spam-Checker-Version: SpamAssassin 3.2.0 (2007-05-01) on 
server1.eggycrew.com

X-Spam-Level: ***
X-Spam-Status: Yes, score=7.5 required=5.0 tests=BAYES_50,RCVD_IN_PBL,
   RCVD_IN_XBL,RDNS_NONE,URIBL_JP_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL
   autolearn=disabled version=3.2.0
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="--=_47C44FAD.87C8E643"

This is a multi-part message in MIME format.

=_47C44FAD.87C8E643
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

SpamAssassin, running on the system "mail.eggycrew.com", has identified
this incoming email as possible spam.  The original message has been
attached to this so you can view it (if it isn't spam).

You may update your SpamAssassin configuration at any time in your
DirectAdmin Control Panel under "Advanced Features".

If you have any questions, please contact the Helpdesk.


Content preview:  Is generic medication just as effective as the brand named
  products? Generic medication is just as safe and effective as their brand
  named competitors. Our generic products are produced in India by 
pharmaceutical
  manufacturers in the highest quality facilities that fully comply 
with the

  Good Manufacturing Practices (GMP), the stipulations laid down by the US
 FDA. [...]

Content analysis details:   (7.5 points, 5.0 required)

pts rule name  description
 -- 
--
0.1 RDNS_NONE  Delivered to trusted network by a host with 
no rDNS

0.0 BAYES_50   BODY: Bayesian spam probability is 40 to 60%
   [score: 0.4419]
1.5 URIBL_WS_SURBL Contains an URL listed in the WS SURBL blocklist
   [URIs: bnorbovea.com]
1.5 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
   [URIs: bnorbovea.com]
0.5 URIBL_SC_SURBL Contains an URL listed in the SC SURBL blocklist
   [URIs: bnorbovea.com]
0.9 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL
   [60.10.108.162 listed in zen.spamhaus.org]
3.0 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL



=_47C44FAD.87C8E643
Content-Type: message/rfc822; x-spam-type=original
Content-Description: original message before SpamAssassin
Content-Disposition: inline
Content-Transfer-Encoding: 8bit

Return-path: <[EMAIL PROTECTED]>
Envelope-to: [EMAIL PROTECTED]
Delivery-date: Tue, 26 Feb 2008 06:00:44 -0600
Received: from mail by mail.eggycrew.com with spam-scanned (Exim 4.67)
   (envelope-from <[EMAIL PROTECTED]>)
   id 1JTyUF-0005OA-Ld
   for [EMAIL PROTECTED]; Tue, 26 Feb 2008 06:00:44 -0600
X-Spam-Checker-Version: SpamAssassin 3.2.0 (2007-05-01) on 
server1.eggycrew.com

X-Spam-Level: 
X-Spam-Status: No, score=4.5 required=5.0 
tests=BAYES_50,RCVD_IN_PBL,RDNS_NONE,
   URIBL_JP_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=disabled 
version=3.2.0

Received: from [60.10.108.162] (helo=0769d38b7bb44bd)
   by mail.eggycrew.com with esmtp (Exim 4.67)
   (envelope-from <[EMAIL PROTECTED]>)
   id 1JTyUE-0005Nh-JK
   for [EMAIL PROTECTED]; Tue, 26 Feb 2008 06:00:43 -0600
Received: from [60.10.108.162] by yippee.popula.com; Tue, 26 Feb 2008 
19:43:00 +0800

From: "Ahmad Mcfadden" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Is generic medication just as effective as the brand named 
products?

Date: Tue, 26 Feb 2008 19:43:00 +0800
MIME-Version: 1.0
Content-Type: text/plain;
   charset="Windows-1252"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook, Build 11.0.5510
Thread-Index: Aca6QF5B2T0X0GZ6NQJKYUH3R6M37Y==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
Message-ID: <[EMAIL PROTECTED]>
X-Antivirus-ClamAV-Scanner: This message was scanned for viru

Re: rule checking environment variable

[Miguel Angel]

They are getting high score because are using dynamic ip ranges and they match 
rbl lists.

Matus UHLAR - fantomas escribió:

On 26.02.08 14:51, Miguel Angel wrote:
i am using spamassassin 3.2.3 with qmail and simscan, the problem i 
have it is that my authenticated smtp

users have any mails rejected because a high score,


do they get high score because of the authentication or are they catching
something like DOX_*_TO_MX? 
Proper authentication data in Received: headers should make SA know that the

client was trusted and not to catch that rule...

Re: [OT] Yahoo Deferred

[mouss]

Michael Hutchinson wrote:

I have tried different approaches, and let us not forget I have
  

filled
  

out 3 whitelist forms, and received no response from Yahoo. Their


service
  

is breaking RFC's by not delivering mail. They are ignorant towards


other
  

companies trying to use their service.
But they do deliver the mail. You've even said so above. If this is


for
  

paid for accounts, I can see there being an issue. If it is for free
accounts, how do you think they make their money to support free
accounts? By requiring the free accounts to login to do some things.



Delivering mail via a filter we have no control of, directly to a folder
the user never see's, is not delivering mail, in my book. Or a lot of
people's book.
  


This doesn't break the RFC. This is bad service for their users, not a 
conformance issue. A lot of people put mail believed to be spam in a 
spam folder or a quarantine. The problem is when people don't check 
their Junk folder. I would prefer if providers let users actively opt 
in, or at least warn them or whatever, but as you know design is driven 
by the needs for $lusers, because they represent the majority of people. 
lusers would quit the service if they get too much spam. on the other 
hand, every free webmail user I've discussed with said "I never get any 
spam and I never lost any mail at ${foo bar webmail}". and this is what 
makes a service "successful" from a business perspective ;-p


PS. Silently discarding mail is another issue. I've seen this at hotmail 
and not at yahoo (I don't mean it doesn't happen at yahoo, I simply mean 
that my own tests didn't show such behaviour).



It is for paid accounts, by the way.

I'm not about to start seeing that what Yahoo is doing is acceptable or
correct. No matter what "sense" you try and make of it.
  


"junking" a lot of legitimate mail is bad in any site (discarding is 
worst). This means the filter quality is bad (too many FPs). that said, 
it is the account owner's responsibility to complain or to find a more 
reliable provider, unless said owner is happy not getting too much spam.


I've had the problem with yahoo, gmail and hotmail last year. it was 
ultimately "fixed" (without DKIM btw) but the site didn't send a "huge" 
quantity of mail, and wasn't really bulk. It was a "social" application, 
but members could generate too much mail (to my taste) to their own 
addresses (get alerts regarding their "friends" events). so the issue is 
not that of sending mail to a lot of people, but sending a lot of mail 
to few people. this is easier but still challenging.

failed spf_helo_softfail in SA

[aritza sobrinos]

Hi,

Im getting false positives like this:

X-Spam-Status: Yes, score=3.776 tag=x tag2=3.5 kill=3.5 tests=[BAYES_50=
0.001,
 HTML_10_20=0.246, HTML_MESSAGE=0.001, HTML_SHORT_LENGTH=0.389,
 SPF_HELO_SOFTFAIL=3.14, SPF_PASS=-0.001]


SPF_HELO_SOFTFAIL and SPF_PASS in the same mail, is this ok ? is happens
only for one domain other spf works correctly only with pass


any ideas ?

im using:

SpamAssassin version 3.0.3
  running on Perl version 5.8.4

amavisd-new-2.4.2


thanks in adavance !

Re: failed spf_helo_softfail in SA

[John Hardin]

On Tue, 26 Feb 2008, aritza sobrinos wrote:


Im getting false positives like this:

X-Spam-Status: Yes, score=3.776 tag=x tag2=3.5 kill=3.5 tests=[BAYES_50=
0.001,
HTML_10_20=0.246, HTML_MESSAGE=0.001, HTML_SHORT_LENGTH=0.389,
SPF_HELO_SOFTFAIL=3.14, SPF_PASS=-0.001]

SPF_HELO_SOFTFAIL and SPF_PASS in the same mail, is this ok ? is happens
only for one domain other spf works correctly only with pass

any ideas ?


Increase your threshold to 5.0 as all of the base rules have their scores 
assigned with that threshold in mind. If you lower it without adjusting 
the default scores you *will* get more FPs than you should.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Look at the people at the top of both efforts. Linus Torvalds is a
  university graduate with a CS degree. Bill Gates is a university
  dropout who bragged about dumpster-diving and using other peoples'
  garbage code as the basis for his code. Maybe that has something to
  do with the difference in quality/security between Linux and
  Windows.   -- anytwofiveelevenis on Y! SCOX
---
 16 days until Albert Einstein's 129th Birthday

listserve bombs: questex.com and civisplus.com - anyone?

[Toll, Eric]

Anyone else just get bombed by listserve servers?
 
I got a user who got 20 emails in 5 mins from: questex.com 66.203.94.0/24

and

civicplus.com 69.149.139.127

almost feels like zombie worms or something is subscribing users to these
listserv servers -- which either do not require a confirm email or have been
hacked to not need a confimation email.

Re: HABEAS_ACCREDITED_COI

[Kelson]

Igor Chudov wrote:

If I recall correctly...

This Habeas is some sort of a braindead business idea to insert an
unauthenticated header in bodies of "legitimate" emails coming from
their customers, to assure spam filters that the email is legitimate. 


Not anymore.  They've long since switched to an IP-based whitelist 
because the unauthenticated header proved unreliable.


They changed their business model YEARS ago.

--
Kelson Vibber
SpeedGate Communications 

Re: Too false negative

[mouss]

Rocco Scappatura wrote:

[snip]


Sorry It was not the case to send the entire email.. Here the
X-Spam-Status  after running the message against 'spamassassin -D':

X-Spam-Status: Yes, score=11.2 required=5.0
tests=AWL,BAYES_50,HTML_MESSAGE,
 
RATWARE_MS_HASH,RATWARE_OUTLOOK_NONAME,RDNS_NONE,URIBL_BLACK,URIBL_JP_SU

RBL,
URIBL_OB_SURBL,URIBL_SC_SURBL autolearn=unavailable
version=3.2.4

But it is really strange from amavisd-new log I see that the message is
passed as clean:

  


the URL may have been added in $uri lists in the meantime. That said, 
make sure Bayes is using the right "user". rerun spamassassin as the 
amavisd user. if your Bayes db is in mysql, use 
bayes_sql_override_username to force a single user.



Feb 26 08:09:48 av4 amavis[18267]: (18267-12) Passed CLEAN,
[125.128.59.158] [125.128.59.158] <[EMAIL PROTECTED]> ->
>,>,>,
Message-ID: <[EMAIL PROTECTED]>, mail_id: kgXmlG1zg5ao,
Hits: 3.558, size: 3731, queued_as: 9D8E775037D, 2132 ms

rocsca
  

RE: any rules for this?

[Michael Hutchinson]

> -Original Message-
> From: Mike Fahey [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, 27 February 2008 6:16 a.m.
> To: users@spamassassin.apache.org
> Subject: any rules for this?
> 
> Does anyone have any rules for these?
> 
> C A 5N A D/1AN P 7 5H A RM A 9CY
> 
> V / 7A G R \A - $1.45
> C 4/ A L / S - $2.26
> S0 O M A - $0.67
> L E7 V / T R A - $3.63
> F E _MALE V 6/ A G \R 4A
> U 8 L T 7R A M - $1.36
> 165 Items on S /AL \E Today.
> 
> Grab yours while supplies last

Hi Mike. You could write some rules against the first line eg:

body SAL_CANADIAN_1 /C A 5N A D\/1AN P 7 5H A RM A 9CY/i
score SAL_CANADIAN_15
describe SAL_CANADIAN_1

but you will want to make it dynamic, because they'll probably change
the layout so this would be a temporary rule for me. You could score
that rule lower and score on the other lines, but that will make it
difficult to change your rules if your spam changes.

PS beware the forward and backslash characters, they will need to be
escaped with a single \ each.

Cheers,
Michael Hutchinson

Re: Variable subject line spam.

[fchan]

Hi,
Thank you Loren Wilton. I think this is best solution for me.
These are not from Kohl's or any other legitimate  company. The 
subject changes from month to month and the percentages change but 
the format remains the same for the subject line. The body uses 
legitimate text taken from various webpages and have phishing link 
which also varies. The sender is  "me" but the Return-Path is the 
same name at different domain.

I tried to attach the message but apache.org rejected it.

Thank you,
Frank

I'm get alot of these February 77% OFF or variations (ie January 
73% OFF and my guess March 75% OFF next month) thereof in the 
subject line for spam. The body always changes so I can't really 
key on this. I would like to make rule that subject line filter 
this type of spam.


I have never seen one of these, so just going from your description 
I can write a rule.  Whether it will match your actual spam (which I 
havne't seen) I can't say.


header MO_PERCENT_OFF Subject =~ 
/(?:January|February|March|April|May)\s+\d\d\%\s+OFF\b/i


The above will cover you for about the first half of the year, add 
more months as necessary.



   Loren

Re: Variable subject line spam.

[Daryl C. W. O'Shea]

On 26/02/2008 3:21 PM, fchan wrote:
> Hi,
> Thank you Loren Wilton. I think this is best solution for me.
> These are not from Kohl's or any other legitimate  company. The subject
> changes from month to month and the percentages change but the format
> remains the same for the subject line. The body uses legitimate text
> taken from various webpages and have phishing link which also varies.
> The sender is  "me" but the Return-Path is the same name at different
> domain.
> I tried to attach the message but apache.org rejected it.

Which brings up the question, why are you having problems catching it?
Have you whitelisted youreself with whitelist_from.  Most of these I see
score around 20 or more.

Daryl

Gmail captha broken: was Re: google running an open relay?

[Michael Scheidell]

Maybe this is it:

(February 25, 2008)
Spammers have figured out a way to defeat the Gmail Captcha
challenge-response mechanism, which is used to ensure that requests to
create new accounts are coming from real people and not from automated
programs.  Spammers successfully broke the Hotmail Captcha program in the
last few weeks.

http://www.theregister.co.uk/2008/02/25/gmail_captcha_crack/print.html


_
This email has been scanned and certified safe by SpammerTrap(tm). 
For Information please see http://www.spammertrap.com
_

Re: Too false negative

[Rocco Scappatura]

> Rocco Scappatura wrote:
>>> [snip]
>>
>> Sorry It was not the case to send the entire email.. Here the
>> X-Spam-Status  after running the message against 'spamassassin -D':
>>
>> X-Spam-Status: Yes, score=11.2 required=5.0
>> tests=AWL,BAYES_50,HTML_MESSAGE,
>>
>> RATWARE_MS_HASH,RATWARE_OUTLOOK_NONAME,RDNS_NONE,URIBL_BLACK,URIBL_JP_SU
>> RBL,
>> URIBL_OB_SURBL,URIBL_SC_SURBL autolearn=unavailable
>> version=3.2.4
>>
>> But it is really strange from amavisd-new log I see that the message is
>> passed as clean:
>>
>>
>
> the URL may have been added in $uri lists in the meantime. That said,
> make sure Bayes is using the right "user". rerun spamassassin as the
> amavisd user. if your Bayes db is in mysql, use
> bayes_sql_override_username to force a single user.

X-Spam-Status: Yes, score=6.3 required=5.0 tests=AWL,BAYES_50,HTML_MESSAGE,

RATWARE_MS_HASH,RATWARE_OUTLOOK_NONAME,RDNS_NONE,URIBL_BLACK,URIBL_JP_SURBL,
URIBL_OB_SURBL,URIBL_SC_SURBL autolearn=unavailable version=3.2.4

What URL? What is $uri_list? I had already set bayes_sql_override_username:

[EMAIL PROTECTED]:/tmp> cat /etc/mail/spamassassin/local.cf | grep
bayes_sql_override_username
bayes_sql_override_username amavis

Is it possible that there is a lack of spamhaus? I suppose that I query
the DNSBL much more then 100.000 times per day.. :-(

Thanks,

rocsca

RE: URIBL

[Rocco Scappatura]

> Quoting Rocco Scappatura <[EMAIL PROTECTED]>:
>
>> Maybe, now is the case to set up a copy of zone locally on my server.. I
>> ve about 1300K messages rejected per day!!
>
> Yes, you should not query 1.3 million messages per day on the public
> nameservers.  That would be considered abusive.

Je suis desolee.. I will try to to implement the SURBL zone copy during
the next days.. Should this improve the performance of message scan?

rocsca

Re: any rules for this?

[Paul Douglas Franklin]

Here is what I'm trying:

body CAN_PHAR
/c[\W\d]{0,4}a[\W\d]{0,4}n[\W\d]{0,4}a[\W\d]{0,4}d[\W\d]{0,4}a[\W\d]{0,4}n[\W\d]{0,4}p[\W\d]{0,4}h[\W\d]{0,4}a[\W\d]{0,4}r[\W\d]{0,4}m[\W\d]{0,4}a[\W\d]{0,4}c[\W\d]{0,4}y/i

I believe I have stripped out all non-letters and then search for the
tip-off phrase.  But two of my recent rules gave me lots of FP's.  So
don't implement this without certainty that it is good.
Anyone see a problem with this?
--Paul

Mike Fahey wrote:

Does anyone have any rules for these?

C A 5N A D/1AN P 7 5H A RM A 9CY

V / 7A G R \A - $1.45
C 4/ A L / S - $2.26
S0 O M A - $0.67
L E7 V / T R A - $3.63
F E _MALE V 6/ A G \R 4A
U 8 L T 7R A M - $1.36
165 Items on S /AL \E Today.

Grab yours while supplies last


--
Paul Douglas Franklin
Computer Manager, Union Gospel Mission of Yakima, Washington
Husband of Danette
Father of Laurene, Miriam, Tycko, Timothy, Sarabeth, Marie, Dawnita,
Anna Leah, Alexander, and Caleb

Re: Too false negative

[mouss]

Rocco Scappatura wrote:


  

Rocco Scappatura wrote:


[snip]


Sorry It was not the case to send the entire email.. Here the
X-Spam-Status  after running the message against 'spamassassin -D':

X-Spam-Status: Yes, score=11.2 required=5.0
tests=AWL,BAYES_50,HTML_MESSAGE,

RATWARE_MS_HASH,RATWARE_OUTLOOK_NONAME,RDNS_NONE,URIBL_BLACK,URIBL_JP_SU
RBL,
URIBL_OB_SURBL,URIBL_SC_SURBL autolearn=unavailable
version=3.2.4

But it is really strange from amavisd-new log I see that the message is
passed as clean:


  

the URL may have been added in $uri lists in the meantime. That said,
make sure Bayes is using the right "user". rerun spamassassin as the
amavisd user. if your Bayes db is in mysql, use
bayes_sql_override_username to force a single user.



X-Spam-Status: Yes, score=6.3 required=5.0 tests=AWL,BAYES_50,HTML_MESSAGE,

RATWARE_MS_HASH,RATWARE_OUTLOOK_NONAME,RDNS_NONE,URIBL_BLACK,URIBL_JP_SURBL,
URIBL_OB_SURBL,URIBL_SC_SURBL autolearn=unavailable version=3.2.4

What URL? What is $uri_list? 
URIBL, SURBL, ... etc. the message contains one or more URIs that are 
listed. but they may have been listed after you received the message 
which would explain why the message was not caught at reception time.


To make sure, copy one of the messages, remove the Delivered-To header 
the top (if yoy leave it, you'll get a loop error from postfix) and 
resubmit the message for example using telnet:


% telnet yourserver 25
...
EHLO somehostname
...
MAIL FROM:
...
RCPT TO:
DATA
copy-patse the message with full headers except the Delivered-To that 
contains your recipient address

end with a line containing a dot ('.') like this:
.
QUIT

you can retrieve the  from the return-Path header, and the 
 from the Delivered-To header that you removed before 
resubmitting the message, or use any address you want.


make sure the message passes through amavisd-new (in case you submit 
from a "whitelisted" client).
If the client is not in your trusted_network, the test may pollute your 
AWL. you could disable AWL while testing.


when your receive the message, see if it was caught by the URI* tests.



I had already set bayes_sql_override_username:

[EMAIL PROTECTED]:/tmp> cat /etc/mail/spamassassin/local.cf | grep
bayes_sql_override_username
  


what's this? you should only have the following one:


bayes_sql_override_username amavis

Is it possible that there is a lack of spamhaus? I suppose that I query
the DNSBL much more then 100.000 times per day.. :-(

  


that doesn't explain the miss because the message is caught by other checks.

to test for spamhaus access, try
% host 2.0.0.127.zen.spamhaus.org
you should see something like this:
2.0.0.127.zen.spamhaus.org has address 127.0.0.2
2.0.0.127.zen.spamhaus.org has address 127.0.0.10
2.0.0.127.zen.spamhaus.org has address 127.0.0.4

if you are doing to many queries, you may need to pay.

Re: any rules for this?

[McDonald, Dan]

On Tue, 2008-02-26 at 13:15 -0800, Paul Douglas Franklin wrote:
> Here is what I'm trying:
> 
> body CAN_PHAR
> /c[\W\d]{0,4}a[\W\d]{0,4}n[\W\d]{0,4}a[\W\d]{0,4}d[\W\d]{0,4}a[\W\d]{0,4}n[\W\d]{0,4}p[\W\d]{0,4}h[\W\d]{0,4}a[\W\d]{0,4}r[\W\d]{0,4}m[\W\d]{0,4}a[\W\d]{0,4}c[\W\d]{0,4}y/i


Seems to me there was a generic GAPPY_TEXT rule Much like
GAPPY_SUBJECT in the current ruleset.  It would probably be a better fit
than being quite so specific.

-- 
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com



signature.asc
Description: This is a digitally signed message part

Re: Too false negative

[Rocco Scappatura]

> % telnet yourserver 25
> ...
> EHLO somehostname
> ...
> MAIL FROM:
> ...
> RCPT TO:
> DATA
> copy-patse the message with full headers except the Delivered-To that
> contains your recipient address
> end with a line containing a dot ('.') like this:
> .
> QUIT

Infact I get:

Feb 26 23:07:50 av4 amavis[17589]: (17589-03) Blocked SPAM,
[] [] <[EMAIL PROTECTED]> -> <>,
quarantine: r/spam-rGPEbZ4mzhH4.gz, Message-ID:
<[EMAIL PROTECTED]>, mail_id: rGPEbZ4mzhH4, Hits: 7.193,
size: 4063, 1874 ms

And spammer are becoming more faster as the time goes on.. Is it
convenient to use gray listing or there is something other effective
tecnique that I could use to reduce false negative?

Thanks,

rocsca

Re: Variable subject line spam.

[fchan]

Hi,
Yes, I have whitelist myself. I see it as that score without the whitelist.

Regards,
Frank


On 26/02/2008 3:21 PM, fchan wrote:

 Hi,
 Thank you Loren Wilton. I think this is best solution for me.
 These are not from Kohl's or any other legitimate  company. The subject
 changes from month to month and the percentages change but the format
 remains the same for the subject line. The body uses legitimate text
 taken from various webpages and have phishing link which also varies.
 The sender is  "me" but the Return-Path is the same name at different
 domain.
 I tried to attach the message but apache.org rejected it.


Which brings up the question, why are you having problems catching it?
Have you whitelisted youreself with whitelist_from.  Most of these I see
score around 20 or more.

Daryl

Re: Too false negative

[McDonald, Dan]

On Tue, 2008-02-26 at 23:14 +0100, Rocco Scappatura wrote:

> And spammer are becoming more faster as the time goes on.. Is it
> convenient to use gray listing or there is something other effective
> tecnique that I could use to reduce false negative?

Grey-listing helps, but seldom because the URI/IP/body hash is added to
a suribl/rbl/razor .  Just confounding the BOT's that only try once is
enough to get rid of piles of SPAM.

-- 
Daniel J McDonald, CCIE #2495, CISSP #78281, CNX
Austin Energy
http://www.austinenergy.com



signature.asc
Description: This is a digitally signed message part

Re: Too false negative

[mouss]

Rocco Scappatura wrote:

% telnet yourserver 25
...
EHLO somehostname
...
MAIL FROM:
...
RCPT TO:
DATA
copy-patse the message with full headers except the Delivered-To that
contains your recipient address
end with a line containing a dot ('.') like this:
.
QUIT



Infact I get:

Feb 26 23:07:50 av4 amavis[17589]: (17589-03) Blocked SPAM,
[] [] <[EMAIL PROTECTED]> -> <>,
quarantine: r/spam-rGPEbZ4mzhH4.gz, Message-ID:
<[EMAIL PROTECTED]>, mail_id: rGPEbZ4mzhH4, Hits: 7.193,
size: 4063, 1874 ms

And spammer are becoming more faster as the time goes on.. Is it
convenient to use gray listing 


newer bots retry, so GL is only effective is the time interval is large 
enough, but that's not a neutral thing so should be restricted to 
suspicious mail. That's what I use GL for anyway.



or there is something other effective
tecnique that I could use to reduce false negative?

Thanks,

rocsca

  


the spam you showed has:

Received: from [125.128.59.158] (unknown [125.128.59.158]) 



which means the client is "unknown" and it helo'ed with a literal IP 
(it's from Korea too but let's ignore this). My postfix has a 
check_helo_acces with a pcre:


/^[/  reject_unknown_client, policy_greylist

This rejects mail if the client is unknown and helo's with a literal IP. 
I've not seen literal IPs in ham on an MX. Note that this test must not 
be applied on an MSA: MUAs like Thunderbird do helo with a literal IP.


The test is run before DNSBL checks, so it saves some cycles and reduces 
the load on DNSBL sites. these days, the test catches about 15% of mail 
rejected at MTA time.


Note that reject_unknown_client returns a temp error, but unlike GL, 
you'll need to whitelist the client if you want to accept his mail). if 
this is a real issue, just remove the reject_unknown_client part and 
leave the greylisting check. but


of course, this is mostly a temporary cure. if ratware learns to helo 
with a hostname, it won't be caught. but let's fight the spam of today 
for now ;-p

Re: SA trusts all hosts as soon as IPv6 is enabled? (was Re: AWL problem. Assigning very low scores to spam.)

[Loren Wilton]

Ok, here is a patch which fixes this specific (IPv6) problem until
someone has time to make SA completely v6 aware:

--- Mail/SpamAssassin/Message/Metadata/Received.pm.orig 2008-02-26 
17:28:28.0 +0100
+++ Mail/SpamAssassin/Message/Metadata/Received.pm 2008-02-26 
17:28:52.0 +0100

@@ -1208,7 +1208,8 @@
  $ip = Mail::SpamAssassin::Util::extract_ipv4_addr_from_string ($ip);
  if (!$ip) {
dbg("received-header: could not parse IPv4 address, assuming IPv6");
-return 0;   # ignore IPv6 handovers
+#return 0;   # ignore IPv6 handovers
+ $ip="0.0.0.0";
  }


I'd suggest submitting this on the SA Bugzilla.  It will get lost here on 
the user's list.


I htink I'd submit a *second* bug about how any failed received line parse 
causes all other headers to be trusted.  That certainly wasn't how it worked 
at at least one point in the past.


   Loren

Re: any rules for this?

[Loren Wilton]

This looks like a new version of the old Leo pill spams.  Catching those 
obfuscated things gets difficult since the spammers get VERY creative using 
HTML formatting to juggle the characters around in non-obvious ways.


About the best method of catching them currently is SURBL, since they almost 
always come from zombies, but do advertize a pills site.


   Loren

Re: Variable subject line spam.

[Loren Wilton]

Which brings up the question, why are you having problems catching it?
Have you whitelisted youreself with whitelist_from.  Most of these I see
score around 20 or more.


I've recently found it convenient to add a regex that is closer to 
blacklisting myself, since I generally don't send mail to myself.  And I 
certainly don't use it with a display name of Fred C. Vanderwhipple or 
whatever the spammer decided to put on it today.  If they are going to 
insult me by claiming I sent the spam, I'm going to add 30 points for the 
insult.


   Loren

Re: SA trusts all hosts as soon as IPv6 is enabled? (was Re: AWL problem. Assigning very low scores to spam.)

[Daryl C. W. O'Shea]

On 26/02/2008 11:07 AM, Stefan `Sec` Zehl wrote:
> Hi,
> 
> On Tue, Feb 26, 2008 at 15:56 +, Justin Mason wrote:
>> The fix would be to implement support for IPv6 trust paths:
>>
>> http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4503
>> http://issues.apache.org/SpamAssassin/show_bug.cgi?id=4964
> 
> Ok, so you're telling me that not only is this bug known, but it went
> unfixed fot over a year?

Yeah -- although I consider it a feature enhancement, not a bug... SA
just doesn't support IPv6.  Full blown IPv6 support has been on my list
of things I'd like to do for just over three years now.  bug 4964
describes at most half of what needs to be done to implement full
support for IPv6.

> I must admit that I don't know much of SAs internals or how hard it is
> to fix this "the correct way".
> 
> However a bug like that should have been fixed -- or at least worked
> around by now.

If you or your company would like to fund the development of it, I'm
willing to prioritize the work.  Seriously.  Otherwise, "should have by
now" does not apply to free software.  Especially free software that is
easily monetized by its users.  If the lack of a feature you want
doesn't bother anyone else enough to implement it the only one you can
expect to dedicate time or resources to the work is yourself.

> But then, I'm only a stupid user and who cares about those %)

That's absurd.  If we didn't care about users we wouldn't expend the
effort to support the software (which is often as much or more than the
effort spent actually developing the software) or implementing anything
that doesn't benefit us directly.  In the case of IPv6 (in SA), none of
us have had the need for it ourselves or perceived the need of it by
enough users being greater than the need for other things we've spent
our time on instead.

Daryl

Re: any rules for this?

[Mike Fahey]

The ones I have seen I haven't been able to find a pattern. They tend to 
use letters in place of any character.
I'll look over this run and feed it some of the samples. Any else have 
thoughts?




Paul Douglas Franklin wrote:

Here is what I'm trying:

body CAN_PHAR
/c[\W\d]{0,4}a[\W\d]{0,4}n[\W\d]{0,4}a[\W\d]{0,4}d[\W\d]{0,4}a[\W\d]{0,4}n[\W\d]{0,4}p[\W\d]{0,4}h[\W\d]{0,4}a[\W\d]{0,4}r[\W\d]{0,4}m[\W\d]{0,4}a[\W\d]{0,4}c[\W\d]{0,4}y/i 



I believe I have stripped out all non-letters and then search for the
tip-off phrase.  But two of my recent rules gave me lots of FP's.  So
don't implement this without certainty that it is good.
Anyone see a problem with this?
--Paul

Mike Fahey wrote:

Does anyone have any rules for these?

C A 5N A D/1AN P 7 5H A RM A 9CY

V / 7A G R \A - $1.45
C 4/ A L / S - $2.26
S0 O M A - $0.67
L E7 V / T R A - $3.63
F E _MALE V 6/ A G \R 4A
U 8 L T 7R A M - $1.36
165 Items on S /AL \E Today.

Grab yours while supplies last

Re: cannot open bayes databases Interrupted system call

[Mike Fahey]

This page specifically uses /etc/mail/spamassassin. I believe its 
hardware related, as other machines work fine.


Does anyone else have any tweaks for global bayes ?





Matt Kettler wrote:

Mike Fahey wrote:

I'm using site wide Bayesian Filtering.
These files can become very large anywhere from 200mb to 2gb.

Looking at 
http://wiki.apache.org/spamassassin/SiteWideBayesSetup?highlight=%28bayes%29 


it says to set the bayes_path to
/etc/mail/spamassassin/bayes

What do you suggest?
I'd suggest something in /var.  Preferably not a subdirectory of your 
rule directories.. ie: /var/spamassassin/bayes/bayes


Make sure said directory is world rwx. (this part is why you don't 
want it in your /etc/mail/spamassassin.

Re: Lots Of SPAM

[Chris]

On Tuesday 26 February 2008 6:15 am, Tarak Ranjan wrote:
> Hi List,
> i have posted my RAW email in http://pastebin.ca/918849 ,
> i'm receiving 1000 to 4000 per day this king of mesages.
> SA also skipping this kind of mails
>
> /
> TArak

Here's how my box scored it:

Content analysis details:   (36.5 points, 5.0 required)

 pts rule name  description
 -- --
 5.0 BAYES_99   BODY: Bayesian spam probability is 99 to 100%
[score: 1.]
 5.0 BOTNET Relay might be a spambot or virusbot
 [botnet0.8,ip=121.23.229.225,maildomain=adesso.de,nordns]
 4.5 LOGINHASH  BODY: iXhash says its spam
 2.5 IXHASH BODY: iXhash says its spam
 2.5 LOGINHASH2 BODY: iXhash says its spam
 3.7 PYZOR_CHECKListed in Pyzor (http://pyzor.sf.net/)
 2.2 DCC_CHECK  listed in DCC (http://rhyolite.com/anti-spam/dcc/)
[cpollock 1117; Body=3 Fuz1=3 Fuz2=many]
  10 CLAMAV Clam AntiVirus detected a virus
 0.0 DIGEST_MULTIPLEMessage hits more than one network digest check
 0.1 RDNS_NONE  Delivered to trusted network by a host with no 
rDNS
 1.0 SAGREY Adds 1.0 to spam from first-time senders

-- 
Chris
KeyID 0xE372A7DA98E6705C


pgp2YcyOzx2Zz.pgp
Description: PGP signature

Re: cannot open bayes databases Interrupted system call

[Matt Kettler]

Mike Fahey wrote:

This page specifically uses /etc/mail/spamassassin.
Yeah, I read that the first time. It is wrong.  In fact, I'd say it's 
stupid.


I'll go edit the wiki article when I get a chance, but I want to have 
some time to really sit down and do an extensive rewrite there. There's 
a lot of facts that should be there, which aren't.


If nothing else, there needs to be NO OTHER FILES starting with "bayes" 
in your /etc/mail/spamassassin for that to work! If you've got a 
bayes_rescore.cf in there, you're going to break.


Also, /etc/ isn't intended to store data that changes constantly. It is 
completely contrary to the Unix philosophy to store a database here.


Therefore, using all possible strength, and all possible expertise that 
my position as a member of the SpamAssassin Project Management Committee 
conveys, I strongly advise not following the advice of that wiki 
article. At least as far as using "bayes_path /etc/mail/spamassassin/bayes".







I believe its hardware related, as other machines work fine.
It could be  rights related.. what are the permissions on 
/etc/mail/spamassassin/? Is it world rwx (dangerous!)?


It could also be related to a file starting with bayes in there that's 
not a part of the bayes DB..


ls /etc/mail/spamassassin/bayes*

Is there anything but bayes_seen, bayes_toks and bayes_journal?





Does anyone else have any tweaks for global bayes ?


Yeah, put it in its own directory, and not in /etc/.

Re: mysql userpref not fetching whitelist_from

[Michael Thomas]

Daryl C. W. O'Shea wrote:

On 23/02/2008 9:46 AM, Mike wrote:
  

A clue perhaps is that for some reason the default config file
/etc/mail/spamassassin/local.cf is being read despite the use of -C. (I
know this since it has custom rules not present in the config I am using
to test the mysql userprefs).



I'd resolve the that issue first.  Things will be easier to troubleshoot
once you have it reading the config files that you want it to. :)

-C (--configpath) is not the equivalent of --siteconfigpath (which
controls where to read your local.cf, etc. files from).  -C sets the
path for the default rules.
  


That was it. misread the man pages. --siteconfig did the trick.

Thanks.



Daryl

  

Bug or by design behaviour with Perl interface.

[Oscar H.]

Hello,

   I´m using Perl interface of SA in a shared hosting environment. Do not
use the std SA filtering from hosting company, what we do is to create a
filter in cPanel an pipe to a Perl Script to do Spam check. The script work
as expected, but have a problem when using this 2 functions:

$spam_assassin->add_all_addresses_to_whitelist ( $sa_message ) 
$spam_assassin->add_all_addresses_to_blacklist ( $sa_message )

  These functions perform a print for each added/removed address like :

  SpamAssassin auto-whitelist: adding address to whitelist: [EMAIL PROTECTED]
  SpamAssassin auto-whitelist: adding address to whitelist: [EMAIL PROTECTED]

  This print command is done by AWL plugin regardless debug option is set or
not:
(lines are 456 to 459)
if ($whitelist->add_known_good_address($args->{address})) {
  print "SpamAssassin auto-whitelist: adding address to whitelist: " .
$args->{address} . "\n";
  $status = 1;
}

  The 'problem' is that this print command make massages fail on delivery.
My guess is that any output to STDOUT while filtering a mail message is
interpreted by MTA (Exim in my case) as a failure:

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  pipe to |/usr/bin/perl /home/.../safilter.pl
generated by [EMAIL PROTECTED]

The following text was generated during the delivery attempt:

-- pipe to |/usr/bin/perl /home/.../safilter.pl
   generated by [EMAIL PROTECTED] --
SpamAssassin auto-whitelist: adding address to whitelist: [EMAIL PROTECTED]
SpamAssassin auto-whitelist: adding address to whitelist: [EMAIL PROTECTED]
-- This is a copy of the message, including all the headers. --
. . . 

  I must say that everything else work fine, this Delivery Failure lets say
is "extra". The script finds and delivers to the user his/her original
message back and SA is retrained per message.

  If I comment the line with "$spam_assassin->add_all_addresses_to_whitelist
( $sa_message )" there is no delivery failure message; but obviuosly no
messages to whitelist.

  At this time I'm using this delivery failure as a 'confirmation' that the
process was done, but is something I do not expect or want.

  This delivery error is similar to the one received when you send via SMTP
with debug flag set to1. The text generated is all the connection process
and delivery error is expected; in my case, the text is from the AWL plugin
print command and the delivery error is not expected.

  Don't know if this print command should be done only if debug flag in SA
is set, or by design the print command is done.

  Unfortunately in shared hosting there is no way to modify the line that
prints added/removed addresses.

  Somebody have noticed this also o know how to add remove addresses ? Don't
want to use the user_prefs for this.

  Should I have to place this issue as a bug or request ?

  TIA, Oscar.
  
  
-- 
View this message in context: 
http://www.nabble.com/Bug-or-by-design-behaviour-with-Perl-interface.-tp15704747p15704747.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Bug or by design behaviour with Perl interface.

[Daryl C. W. O'Shea]

On 26/02/2008 9:33 PM, Oscar H. wrote:
>   This print command is done by AWL plugin regardless debug option is set or
> not:
> (lines are 456 to 459)
> if ($whitelist->add_known_good_address($args->{address})) {
>   print "SpamAssassin auto-whitelist: adding address to whitelist: " .
> $args->{address} . "\n";
>   $status = 1;
> }

>   Should I have to place this issue as a bug or request ?

Yes, please open a bug at http://issues.apache.org/SpamAssassin/

Daryl

Quick Postfix Question [OT]

[Marc Perkel]

Postfix allows you to use blacklists as follows:

reject_rbl_client blacklist.junkemailfilter.com

Does Postfix allow you to use white lists? If so - what's the syntax? 
I'm about to publish my whitelist for Postfix.

Re: HABEAS_ACCREDITED_COI

[ram]

On Tue, 2008-02-26 at 08:49 +, Anthony Peacock wrote:
> Hi,
> 
> I have just received a number of spam emails which got through the 
> filtering system because they hit the HABEAS_ACCREDITED_COI rule, which 
> give them -8.  They all came to role based addresses that are never used 
> to outgoing emails and would certainly never be subscribed to opt in 
> email lists.
> 
> I have had a look around the http://www.habeas.com/ website and can't 
> really see how to check the company in question, or make a complaint. 
> There is a form for asking them to ask the company to remove these 
> addresses from their mailing list, but I don't want to have to do that, 
> I want to complain about the company.
> 
> Does anyone know anything about this.  At this stage I am planning on 
> changing the score for all HABEAS_ACCREDITED_??? rules to 0, to make 
> them neutral to the score.
> 

Please give me the domain name , I will block it at my MTA