RE: Too false negative
And spammer are becoming more faster as the time goes on.. Is it convenient to use gray listing newer bots retry, so GL is only effective is the time interval is large enough, but that's not a neutral thing so should be restricted to suspicious mail. That's what I use GL for anyway. What do I need to set up GL? Only the command below or there is something other parameter that I could set up (eg: the time spent before a message is accepted and so on)? the spam you showed has: Received: from [125.128.59.158] (unknown [125.128.59.158]) which means the client is unknown and it helo'ed with a literal IP (it's from Korea too but let's ignore this). My postfix has a check_helo_acces with a pcre: /^[/ reject_unknown_client, policy_greylist This rejects mail if the client is unknown and helo's with a literal IP. It's very interesting.. In what restriction do I have to put the rulese above? I've not seen literal IPs in ham on an MX. Note that this test must not be applied on an MSA: MUAs like Thunderbird do helo with a literal IP. Infact.. Indeed I'm not using MSA.. So this complicates the things.. :-( The test is run before DNSBL checks, so it saves some cycles and reduces the load on DNSBL sites. these days, the test catches about 15% of mail rejected at MTA time. Note that reject_unknown_client returns a temp error, but unlike GL, you'll need to whitelist the client if you want to accept his mail). if this is a real issue, just remove the reject_unknown_client part and leave the greylisting check. but So you are saying that I have to WL the client that present himself to my server with an IP rather than a hostname? And how I could withelist that client? of course, this is mostly a temporary cure. if ratware learns to helo with a hostname, it won't be caught. but let's fight the spam of today for now ;-p I agree with.. Compliment for your exahustive argumentation.. rocsca
Re: HABEAS_ACCREDITED_COI
Hi, ram wrote: On Tue, 2008-02-26 at 08:49 +, Anthony Peacock wrote: Hi, I have just received a number of spam emails which got through the filtering system because they hit the HABEAS_ACCREDITED_COI rule, which give them -8. They all came to role based addresses that are never used to outgoing emails and would certainly never be subscribed to opt in email lists. I have had a look around the http://www.habeas.com/ website and can't really see how to check the company in question, or make a complaint. There is a form for asking them to ask the company to remove these addresses from their mailing list, but I don't want to have to do that, I want to complain about the company. Does anyone know anything about this. At this stage I am planning on changing the score for all HABEAS_ACCREDITED_??? rules to 0, to make them neutral to the score. Please give me the domain name , I will block it at my MTA For anyone interested here is the full email (well one of them)... http://www.chime.ucl.ac.uk/~rmhiajp/habeas-misfire.eml -- Anthony Peacock CHIME, Royal Free University College Medical School WWW:http://www.chime.ucl.ac.uk/~rmhiajp/ Study at CHIME in 2008. http://www.chime.ucl.ac.uk/study-health-informatics/
Re: rule checking environment variable
On 26.02.08 19:20, Miguel Angel wrote: They are getting high score because are using dynamic ip ranges and they match rbl lists. If you relay mail from your dynamic addresses w/o authentication, they should be in your trusted_networks. Then they'll get ALL_TRUSTED and probably DOS_*_TO_MX, unless it's clear that they used SMTP authentication. Since you mentioned that they are authenticated, those mails probably miss the auth info, or possibly the SA doesn't use it. So, it's again about valid auth info in Received: headers. On 26.02.08 14:51, Miguel Angel wrote: i am using spamassassin 3.2.3 with qmail and simscan, the problem i have it is that my authenticated smtp users have any mails rejected because a high score, Matus UHLAR - fantomas escribió: do they get high score because of the authentication or are they catching something like DOX_*_TO_MX? Proper authentication data in Received: headers should make SA know that the client was trusted and not to catch that rule... -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Atheism is a non-prophet organization.
Re: Too false negative
Rocco Scappatura wrote: And spammer are becoming more faster as the time goes on.. Is it convenient to use gray listing newer bots retry, so GL is only effective is the time interval is large enough, but that's not a neutral thing so should be restricted to suspicious mail. That's what I use GL for anyway. What do I need to set up GL? Only the command below or there is something other parameter that I could set up (eg: the time spent before a message is accepted and so on)? of course, you need to install a policy server! Cami's policyd is a good choice (it also has other features such throttling, blacklisting, ... etc). for postfix config see below. the spam you showed has: Received: from [125.128.59.158] (unknown [125.128.59.158]) which means the client is unknown and it helo'ed with a literal IP (it's from Korea too but let's ignore this). My postfix has a check_helo_acces with a pcre: /^[/ reject_unknown_client, policy_greylist This rejects mail if the client is unknown and helo's with a literal IP. It's very interesting.. In what restriction do I have to put the rulese above? see below. I've not seen literal IPs in ham on an MX. Note that this test must not be applied on an MSA: MUAs like Thunderbird do helo with a literal IP. Infact.. Indeed I'm not using MSA.. So this complicates the things.. :-( Not really, because when using port 25, submitted mail is whitelisted via permit_mynetworks, permit_sasl_authenticated. Here is a restrictions example. smtpd_recipient_restrictions = # allow submission via port 25 permit_mynetworks permit_sasl_authenticated # no relay from here reject_unauth_destination # non fqdn addresses are not valid reject_non_fqdn_sender reject_non_fqdn_recipient # recipient BL and WL, traps, spamlovers ... check_recipient_access ${pcre_prefix}/recipient_acl check_recipient_access ${hash_prefix}/recipient_acl # sender BL check_sender_access ${pcre_prefix}/sender_acl # address validation reject_unlisted_recipient reject_unlisted_sender # site client WL and BL check_client_access ${cidr_prefix}/client_acl check_client_access ${hash_prefix}/client_acl # DNSWL check_client_access ${cidr_prefix}/dnswl/postfix-dnswl-permit reject_invalid_helo_hostname # this may catch misconfigured MTAs: reject_non_fqdn_helo_hostname # obvious helo forgery (our domain, our IP, ...) check_helo_access ${hash_prefix}/helo_acl # helo discrepancies check_helo_access ${pcre_prefix}/helo_acl # if we can't reach them, reject them reject_unknown_sender_domain # block bogus MX, tld wildcard MX, ... check_sender_mx_access ${cidr_prefix}/sender_mx_acl # DNSBL checks reject_rbl_client ... smtpd_restriction_class = policy_greylist ... policy_greylist = check_policy_service inet:127.0.0.1:10031 the variables like cidr_prefix are defined like this: cidr_prefix = cidr:/etc/postfix/maps/cidr ... If you want to avoid further checks when greylisting, you need to configure the policy service to return DEFER instead of DEFER_IF_PERMIT. The test is run before DNSBL checks, so it saves some cycles and reduces the load on DNSBL sites. these days, the test catches about 15% of mail rejected at MTA time. Note that reject_unknown_client returns a temp error, but unlike GL, you'll need to whitelist the client if you want to accept his mail). if this is a real issue, just remove the reject_unknown_client part and leave the greylisting check. but So you are saying that I have to WL the client that present himself to my server with an IP rather than a hostname? I don't understand. you only need to whitelist a client if you want to accept his mail _and_ he triggers one of your checks. if you have a doubt, use this for some time: /^\[/ warn_if_reject reject_unknown_client, policy_greylist and check your logs during some period to see if you get legitimate clients using a literal IP and triggering reject_unknown_client. And how I could withelist that client? see above (the .../client_acl lines). but if you find yourself whitelisting many clients, then it's time to remove the check instead. manual whitelisting is only good if it is rare. Aren't we getting OT?
Re: rule checking environment variable
On 26.02.08 19:20, Miguel Angel wrote: They are getting high score because are using dynamic ip ranges and they match rbl lists. If you relay mail from your dynamic addresses w/o authentication, they should be in your trusted_networks. Then they'll get ALL_TRUSTED and probably DOS_*_TO_MX, unless it's clear that they used SMTP authentication. Since you mentioned that they are authenticated, those mails probably miss the auth info, or possibly the SA doesn't use it. So, it's again about valid auth info in Received: headers. On 26.02.08 14:51, Miguel Angel wrote: i am using spamassassin 3.2.3 with qmail and simscan, the problem i have it is that my authenticated smtp users have any mails rejected because a high score, Matus UHLAR - fantomas escribió: do they get high score because of the authentication or are they catching something like DOX_*_TO_MX? Proper authentication data in Received: headers should make SA know that the client was trusted and not to catch that rule... i have get the solution with simscan, it has an configure option to not scan authenticated smtp sends checking an environment variable. Thanks. Regards, Miguel Angel.
Re: HABEAS_ACCREDITED_COI
On Wed, 2008-02-27 at 08:21 +, Anthony Peacock wrote: For anyone interested here is the full email (well one of them)... http://www.chime.ucl.ac.uk/~rmhiajp/habeas-misfire.eml Looks to me as though someone has found a way to abuse ning.com's platform/systems. I suspect they'd be very interested in knowing about this. Derek
Re: Email with no hits and required
Hi Jason, This is and always has been documented behaviour in Qmail-Scanner. Please read the FAQ I tried to find the link but I have not found. You may send me the right link? Cheers -- Massimiliano Marini - http://www.linuxtime.it/massimilianomarini/ It's easier to invent the future than to predict it. -- Alan Kay
Re: HABEAS_ACCREDITED_COI
On 26.02.08 11:18, Igor Chudov wrote: If I recall correctly... This Habeas is some sort of a braindead business idea to insert an unauthenticated header in bodies of legitimate emails coming from their customers, to assure spam filters that the email is legitimate. afaiuc, Habeas is sort of cypyrighted guarantee that the (bulk) e-mail is not spam, and if it is, Habeas will sue infriger for violating the copyright. I like the idea of suing spammers... In any case, I have everything that mentions http://www.h a b e a s.com, go into my garbage folder, that's where I saw your message when I was reviewing it. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. He who laughs last thinks slowest.
Re: Spamd and SpamAssassin scoring very different scores
On 26.02.08 11:56, Russell Jones wrote: For some reason spamd is not scoring email nearly as high as spamassassin scores if you run the message through manually. I do not understand this, and it is causing spam to get through that should have been blocked. As you can see when running spamassassin manually it scored it a 7.5, but spamd scored it only a 4.5 when it first came in. Below is the message spamassassin shows when I run it through manually, and you can see the original email as well as the original score spamd gave it towards the bottom of the message. X-Spam-Status: Yes, score=7.5 required=5.0 tests=BAYES_50,RCVD_IN_PBL, RCVD_IN_XBL,RDNS_NONE,URIBL_JP_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=disabled version=3.2.0 3.0 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL X-Spam-Status: No, score=4.5 required=5.0 tests=BAYES_50,RCVD_IN_PBL,RDNS_NONE, URIBL_JP_SURBL,URIBL_SC_SURBL,URIBL_WS_SURBL autolearn=disabled version=3.2.0 Received: from localhost by server1.eggycrew.com with SpamAssassin (version 3.2.0); Tue, 26 Feb 2008 11:43:09 -0600 the only difference is RCVD_IN_XBL, checking XBL reveals that the IP (60.10.108.162) was listed in XBL after it appeared in CBL, which was at 2008-02-26 11:00 GMT (+/- 30 minutes) - 6 hours after the mail entered your mailserver and was checked by SA. When you manually checked it again, the address was in XBL, which meaned 3 points more. Many rules start hitting after some delay, mostly network tests. You can delay receiving messages for some time (12 hours) if you want higher scores ;-) -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Depression is merely anger without enthusiasm.
Re: Quick Postfix Question [OT]
Marc Perkel wrote: Postfix allows you to use blacklists as follows: reject_rbl_client blacklist.junkemailfilter.com Does Postfix allow you to use white lists? If so - what's the syntax? I'm about to publish my whitelist for Postfix. No. DNSWL offer an rsync access. This is better for performances and for DoS. for postfix related questions, please use the postfix-users list.
Re: failed spf_helo_softfail in SA
On 26.02.08 19:30, aritza sobrinos wrote: Im getting false positives like this: X-Spam-Status: Yes, score=3.776 tag=x tag2=3.5 kill=3.5 tests=[BAYES_50= 0.001, HTML_10_20=0.246, HTML_MESSAGE=0.001, HTML_SHORT_LENGTH=0.389, SPF_HELO_SOFTFAIL=3.14, SPF_PASS=-0.001] SPF_HELO_SOFTFAIL and SPF_PASS in the same mail, is this ok ? is happens only for one domain other spf works correctly only with pass yes. SPF_HELO_* is related to HELO string, while SPF_PASS is related to from address, both in relation to sender's IP/hostname. -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I drive way too fast to worry about cholesterol.
Re: HABEAS_ACCREDITED_COI
On 2/27/2008 10:16 AM, Derek Harding wrote: On Wed, 2008-02-27 at 08:21 +, Anthony Peacock wrote: For anyone interested here is the full email (well one of them)... http://www.chime.ucl.ac.uk/~rmhiajp/habeas-misfire.eml Looks to me as though someone has found a way to abuse ning.com's platform/systems. I suspect they'd be very interested in knowing about this. and while we're off topic, more HABEAS certified UCE Received: from diamond.jangomail.com ([216.82.113.103]) Accreditor: Habeas X-Habeas-Report: Please report use of this mark in spam to http://www.habeas.com/report/ Subject: [***SPAM***] 0.03/g weekly 50% off on all servers at wowmine Sender: WoWMine Coupon Code [EMAIL PROTECTED] From: WoWMine Coupon Code [EMAIL PROTECTED] Blizzard says selling WOW Gold is illegal. http://www.worldofwarcraft.com/legal/termsofuse.html Accordingly, you may not sell items for real money or otherwise exchange items for value outside of the Game. the msg was totally unsolicited. AXB
Re: HABEAS_ACCREDITED_COI
Derek Harding writes: On Wed, 2008-02-27 at 08:21 +, Anthony Peacock wrote: For anyone interested here is the full email (well one of them)... http://www.chime.ucl.ac.uk/~rmhiajp/habeas-misfire.eml Looks to me as though someone has found a way to abuse ning.com's platform/systems. I suspect they'd be very interested in knowing about this. yep. Ning is essentially a platform for social networks, and I guess it can send mail. this appears to be the form to report spam: http://help.ning.com/?page_id=27 --j.
Re: HABEAS_ACCREDITED_COI
http://www.chime.ucl.ac.uk/~rmhiajp/habeas-misfire.eml disable DomainKey plugin and add DKIM plugin will help on that msg and search on DKIM mta scores for not being sent from a DKIM signer
Re: HABEAS_ACCREDITED_COI
Hi Benny, Benny Pedersen wrote: http://www.chime.ucl.ac.uk/~rmhiajp/habeas-misfire.eml disable DomainKey plugin and add DKIM plugin will help on that msg and search on DKIM mta scores for not being sent from a DKIM signer I will have a look at this. But I have already made sufficient change to stops those messages, by disabling all of the habeas.com tests. -- Anthony Peacock CHIME, Royal Free University College Medical School WWW:http://www.chime.ucl.ac.uk/~rmhiajp/ Study at CHIME in 2008. http://www.chime.ucl.ac.uk/study-health-informatics/
Re: Too false negative
policyd works a treat :) V2 is also in development aswell. Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - Rocco Scappatura [EMAIL PROTECTED] wrote: What do I need to set up GL? Only the command below or there is something other parameter that I could set up (eg: the time spent before a message is accepted and so on)? of course, you need to install a policy server! Cami's policyd is a good choice (it also has other features such throttling, blacklisting, ... etc). for postfix config see below. I already sow it quickly.. I hope it usage is not too 'invasive' with my current system.. Any way I will try to use it and I let you know.. Thanks, rocsca -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Too false negative
--[ UxBoD ]-- wrote: policyd works a treat :) V2 is also in development aswell. it's not the same. I don't know why they call it V2. As far as I know, Cami is no more involved. so I would stick with the current (which is a single C threaded program).
RE: Too false negative
policyd works a treat :) V2 is also in development aswell. I will take in account your judge.. :-) rocsca
RE: Too false negative
What do I need to set up GL? Only the command below or there is something other parameter that I could set up (eg: the time spent before a message is accepted and so on)? of course, you need to install a policy server! Cami's policyd is a good choice (it also has other features such throttling, blacklisting, ... etc). for postfix config see below. I already sow it quickly.. I hope it usage is not too 'invasive' with my current system.. Any way I will try to use it and I let you know.. Thanks, rocsca
Re: Quick Postfix Question [OT]
Matthias Leisi wrote: mouss schrieb: | Does Postfix allow you to use white lists? If so - what's the syntax? | I'm about to publish my whitelist for Postfix. | | | No. DNSWL offer an rsync access. That's the exact reason we offer rsync access *to a specially formatted file* (see http://www.dnswl.org/tech#postfix and http://groups.google.com/group/list.postfix.users/browse_thread/thread/4fa72d11f61029c3/94f8969818d6a7c8) and that's much appreciated. Thank's a lot.
Re: Quick Postfix Question [OT]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 mouss schrieb: | Does Postfix allow you to use white lists? If so - what's the syntax? | I'm about to publish my whitelist for Postfix. | | | No. DNSWL offer an rsync access. That's the exact reason we offer rsync access *to a specially formatted file* (see http://www.dnswl.org/tech#postfix and http://groups.google.com/group/list.postfix.users/browse_thread/thread/4fa72d11f61029c3/94f8969818d6a7c8) - -- Matthias, for dnswl.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (Darwin) iD8DBQFHxWK3xbHw2nyi/okRAiWKAJ4mx/2oRoMxZm9EKrgtMYs7FcE2wwCgk0kS IRecrQARnj9WRxgqMK0PjmM= =Fd9W -END PGP SIGNATURE-
Re: Need rule for this type of spam
Hi, Here http://pastebin.com/m309761a5 Thank -- View this message in context: http://www.nabble.com/Need-rule-for-this-type-of-spam-tp15714057p15714459.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Need rule for this type of spam
score here as follows :- Content analysis details: (17.1 points, 5.0 required) pts rule name description -- -- 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.8,ip=213.189.148.42,rdns=ip-213-189-148-042.fix.magnet.ch,client,ipinhostname,clientwords] 3.0 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [213.189.148.42 listed in zen.spamhaus.org] 4.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see http://www.spamcop.net/bl.shtml?213.189.148.42] 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5103] 0.1 RDNS_DYNAMIC Delivered to trusted network by host with dynamic-looking rDNS 4.0 JM_SOUGHT_3JM_SOUGHT_3 1.0 DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers Jason's rules should help you :- http://wiki.apache.org/spamassassin/SoughtRules Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - jfchaput [EMAIL PROTECTED] wrote: Hi, Here http://pastebin.com/m309761a5 Thank -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Need rule for this type of spam
Hi, My spamassassin setup work great but I receive alot spam like this : Subject: M!cro soft Office_2OO7 for XP,Vis+a 79. Retail 838 -save 2466- sas jmp statistical discovery 7 - 129 use -newsoftdeal .com- |n Web Browser Erase - before you use |n Web Browser ulead photoImpact x3 - 29 intuit quickbooks premier edition 2007 - 79 intuit quicken home and business 2008 - 39 cdmenupro 6.23 biz edition - 39 alias maya 7.0 unlimited - 109 autodesk architectural studio 3.0 - 39 parallels desktop 3.0 for mac - 29 Can somebody provide me a rule for that or help to create a custom rule? Thanks -- View this message in context: http://www.nabble.com/Need-rule-for-this-type-of-spam-tp15714057p15714057.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Quick Postfix Question [OT]
Matthias Leisi wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 mouss schrieb: | Does Postfix allow you to use white lists? If so - what's the syntax? | I'm about to publish my whitelist for Postfix. | | | No. DNSWL offer an rsync access. That's the exact reason we offer rsync access *to a specially formatted file* (see http://www.dnswl.org/tech#postfix and http://groups.google.com/group/list.postfix.users/browse_thread/thread/4fa72d11f61029c3/94f8969818d6a7c8) It appears that Postfix only does DNS blacklists and not whitelists then. I was going to publish my whitelist and Postfix instructions but I guess I can't do that.
New Postfix compatible BLACK LIST
Hello Everyone, My hostkarma black/white/yellow lists were too complex to be accessed by Postfix. So I have created a Postfix compatible blacklist for those of you who want to bounce a lot of spam before routing it into SA. reject_rbl_client blacklist.junkemailfilter.com If you're using Exim or want to use SA Rules there are examples and details at the link below. http://wiki.ctyme.com/index.php/Spam_DNS_Lists Unfortunately Postfix doesn't support DNS based whitelists. :( I'm currently listing just over a million virus infected spam bots that have tried to spam my servers in the last 4 days. Hosting this DNS from 6 separate servers. Very low false positive rate. The list usage is free unless you are a really big user. Just my way of giving back to the spam fighting community. Here's a blacklist comparison site by volume (not by quality). http://www.sdsc.edu/~jeff/spam/cbc.html
Re: Need rule for this type of spam
please post the full message via something like pastebin. we need to see the headers aswell. Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - jfchaput [EMAIL PROTECTED] wrote: Hi, My spamassassin setup work great but I receive alot spam like this : Subject: M!cro soft Office_2OO7 for XP,Vis+a 79. Retail 838 -save 2466- sas jmp statistical discovery 7 - 129 use -newsoftdeal .com- |n Web Browser Erase - before you use |n Web Browser ulead photoImpact x3 - 29 intuit quickbooks premier edition 2007 - 79 intuit quicken home and business 2008 - 39 cdmenupro 6.23 biz edition - 39 alias maya 7.0 unlimited - 109 autodesk architectural studio 3.0 - 39 parallels desktop 3.0 for mac - 29 Can somebody provide me a rule for that or help to create a custom rule? Thanks -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean.
Re: Need rule for this type of spam
I will check that. Thank a lot --[ UxBoD ]-- wrote: score here as follows :- Content analysis details: (17.1 points, 5.0 required) pts rule name description -- -- 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.8,ip=213.189.148.42,rdns=ip-213-189-148-042.fix.magnet.ch,client,ipinhostname,clientwords] 3.0 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL [213.189.148.42 listed in zen.spamhaus.org] 4.0 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net [Blocked - see http://www.spamcop.net/bl.shtml?213.189.148.42] 0.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.5103] 0.1 RDNS_DYNAMIC Delivered to trusted network by host with dynamic-looking rDNS 4.0 JM_SOUGHT_3JM_SOUGHT_3 1.0 DOS_OUTLOOK_TO_MX Delivered direct to MX with Outlook headers Jason's rules should help you :- http://wiki.apache.org/spamassassin/SoughtRules Regards, -- --[ UxBoD ]-- // PGP Key: curl -s http://www.splatnix.net/uxbod.asc | gpg --import // Fingerprint: F57A 0CBD DD19 79E9 1FCC A612 CB36 D89D 2C5A 3A84 // Keyserver: www.keyserver.net Key-ID: 0x2C5A3A84 // Phone: +44 845 869 2749 SIP Phone: [EMAIL PROTECTED] - jfchaput [EMAIL PROTECTED] wrote: Hi, Here http://pastebin.com/m309761a5 Thank -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- View this message in context: http://www.nabble.com/Need-rule-for-this-type-of-spam-tp15714057p15714639.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Quick Postfix Question [OT]
It appears that Postfix only does DNS blacklists and not whitelists then. I was going to publish my whitelist and Postfix instructions but I guess I can't do that. http://linux.softpedia.com/get/Communications/Email-Filters/maRBL-16435.shtml this link helps :-) test for rbl blacklist and if not listed make a whitelist action class result on this as a class in postfix
SpamAssassin+MIMEDefang HTML messages Scoring
I have a MIMEDefang(2.63)+SpamAssassin(3.1.9) setup that is catching a lot of spam, but specific spam messages are slipping through. It appears to be fairly consistent day-to-day. If the email is a HTML message, spamassassin will hit on the HTML_MESSAGE rule and that's it. These spam emails are obvious as they contain key words and phrases that should be hitting on other rules. I have a feeling MIMEDefang may be inhibiting the process somehow, since if I take one of these spam messages that got through to my inbox and run it manually through spamassassin using the command: spamassassin -t spamemail spamemail.out it will score it appropriately and mark it as spam. Again, this happens if the spam email is sent as an HTML message. If the spam is sent as plain text, I don't notice any problems with the scoring. Any help and suggestions for things to look at to shed some light on what might be going on here would be greatly appreciated. I have created a similar posting on the MIMEDefang list as well, however I have not received any responses. Thank you very much. -- View this message in context: http://www.nabble.com/SpamAssassin%2BMIMEDefang-HTML-messages-Scoring-tp15717408p15717408.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
sare_uri does not --lint
created a patch so it does --- /var/lib/spamassassin/3.002004/70_sare_uri_cf_sare_sa-update_dostech_net/200510102200.cf.orig 2008-02-25 06:15:39.0 +0100 +++ /var/lib/spamassassin/3.002004/70_sare_uri_cf_sare_sa-update_dostech_net/200510102200.cf 2008-02-27 18:21:47.0 +0100 @@ -73,7 +73,9 @@ uri __SARE_URI_ANY /./ #hist __SARE_URI_ANY Murty Rompalli, 2005-01-03 +ifplugin Mail::SpamAssassin::Plugin::BodyEval body __SARE_BODY_BLNK_5_100 eval:check_blank_line_ratio('5','100') +endif #hist __SARE_BODY_BLNK_5_100 Murty Rompalli, 2005-01-03 meta __SARE_META_MURTY3 (__SARE_URI_ANY __SARE_BODY_BLNK_5_100) #hist __SARE_META_MURTY3 Murty Rompalli, 2005-01-03 @@ -303,7 +305,9 @@ uri __SARE_URI_ANY /./ #hist __SARE_URI_ANY Murty Rompalli, 2005-01-03 +ifplugin Mail::SpamAssassin::Plugin::BodyEval body __SARE_BODY_BLNK_5_100 eval:check_blank_line_ratio('5','100') +endif #hist __SARE_BODY_BLNK_5_100 Murty Rompalli, 2005-01-03 meta __SARE_META_MURTY3 (__SARE_URI_ANY __SARE_BODY_BLNK_5_100) #hist __SARE_META_MURTY3 Murty Rompalli, 2005-01-03 @@ -733,7 +737,9 @@ uri __SARE_URI_ANY /./ #hist __SARE_URI_ANY Murty Rompalli, 2005-01-03 +ifplugin Mail::SpamAssassin::Plugin::BodyEval body __SARE_BODY_BLNK_5_100 eval:check_blank_line_ratio('5','100') +endif #hist __SARE_BODY_BLNK_5_100 Murty Rompalli, 2005-01-03 meta __SARE_META_MURTY3 (__SARE_URI_ANY __SARE_BODY_BLNK_5_100) #hist __SARE_META_MURTY3 Murty Rompalli, 2005-01-03
yahoo.co.uk
everyday i get 2 or three of these coming through. it seems like they could/should be caught but they often have very low scores. they all have yahoo.co.uk in the from address ---example1--- --- headers --- From: [EMAIL PROTECTED] Subject:dear tnv Schoolgirls q. Date: February 27, 2008 5:05:53 AM PST To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Return-Path:[EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on jpkvideo.net X-Spam-Level: X-Spam-Status: No, score=4.9 required=5.0 tests=BAYES_50, RCVD_IN_BL_SPAMCOP_NET ,SARE_SCHLGRL,TW_JF,TW_JK,TW_KD,TW_QW,TW_TN,TW_WP,TW_WV, TW_YW autolearn=no version=3.2.4 Received: (qmail 32723 invoked by uid 110); 27 Feb 2008 04:53:05 -0800 Received: (qmail 32714 invoked from network); 27 Feb 2008 04:53:05 -0800 Received: from n2.bullet.mail.re4.yahoo.com (206.190.56.21) by mail.jpkvideo.net with SMTP; 27 Feb 2008 04:53:04 -0800 Received: from [68.142.230.29] by n2.bullet.re4.yahoo.com with NNFMP; 27 Feb 2008 12:50:47 - Received: from [69.147.75.182] by t2.bullet.re2.yahoo.com with NNFMP; 27 Feb 2008 12:50:47 - Received: from [127.0.0.1] by omp103.mail.re1.yahoo.com with NNFMP; 27 Feb 2008 12:50:47 - Received: (qmail 56157 invoked from network); 27 Feb 2008 12:50:47 - Received: from unknown (HELO www.microsoft.com) ([EMAIL PROTECTED] with login) by smtp108.plus.mail.re1.yahoo.com with SMTP; 27 Feb 2008 12:50:46 - Received-Spf: none (mail.jpkvideo.net: domain at yahoo.co.uk does not designate permitted sender hosts) X-Yahoo-Newman-Id: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Domainkey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.uk; h=Received:X-YMail-OSG:X-Yahoo-Newman- Property:From:To:Reply-To:Subject:Date:MIME-Version:Content- type:Content-transfer-encoding; b=ZCQu4SyaoBJDYdMVj6lzxZMWp2rNH +Wt4gw3baN3qcGIudadCvR/ R4e5BViYvwywNh6x0WeKRTWJ8XXzzOonPMhv0NJ7dz1Wd84Epw3ZmcZMiR6swzoFcPcjnRckaVpYzLQoi /0ls8LR22X52aLL06XgduZEZEds5U72EYNYmMI= ; X-Ymail-Osg: R1BUWHwVM1mOafE4j9EzDgzCnkd2r0k6r5y2xhxB6Q63z_kS48BZ8OmP83S_N5FKG8uFnXPaukheeCbN2uo0TnqdAYnIXaI0rtYpCqwAJepHpgTHKx6E5FLi .E5QiXXamQ-- X-Yahoo-Newman-Property:ymail-5 Mime-Version: 1.0 Content-Type: text/plain; charset=windows-1251 Content-Transfer-Encoding: 8bit --- body --- r, top ywp j Whore jfft http://www.uastvideofs.cn chb wvr sq oo i. fa vmi h qwdcs elbjj. das imoum x izo yw pkwh, wppi jkdq x yrop. ---example2--- --- headers --- From: [EMAIL PROTECTED] Subject:sexual v Whore v. Date: February 26, 2008 2:06:24 PM PST To: [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] Return-Path:[EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] Delivered-To: [EMAIL PROTECTED] X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on jpkvideo.net X-Spam-Level: X-Spam-Status: No, score=0.9 required=5.0 tests=BAYES_50,TW_BD,TW_DJ,TW_DZ, TW_JB,TW_JF,TW_KJ,TW_QL,TW_QW,TW_SV,TW_WB,TW_WR,TW_ZQ autolearn=no version=3.2.4 Received: (qmail 14144 invoked by uid 110); 26 Feb 2008 13:57:02 -0800 Received: (qmail 14118 invoked from network); 26 Feb 2008 13:57:01 -0800 Received: from n2d.bullet.mail.ac4.yahoo.com (76.13.13.86) by mail.jpkvideo.net with SMTP; 26 Feb 2008 13:57:01 -0800 Received: from [76.13.13.26] by n2.bullet.mail.ac4.yahoo.com with NNFMP; 26 Feb 2008 13:55:07 - Received: from [68.142.194.243] by t3.bullet.mail.ac4.yahoo.com with NNFMP; 26 Feb 2008 21:57:00 - Received: from [68.142.237.88] by t1.bullet.mud.yahoo.com with NNFMP; 26 Feb 2008 21:57:00 - Received: from [66.196.97.153] by t4.bullet.re3.yahoo.com with NNFMP; 26 Feb 2008 21:56:59 - Received: from [127.0.0.1] by omp206.mail.re3.yahoo.com with NNFMP; 26 Feb 2008 21:56:59 - Received: (qmail 13807 invoked from network); 26 Feb 2008 21:51:21 - Received: from unknown (HELO www.microsoft.com) ([EMAIL PROTECTED] with login) by smtp101.plus.mail.re1.yahoo.com with SMTP; 26 Feb 2008 21:51:20 - Received-Spf: none (mail.jpkvideo.net: domain at yahoo.co.uk does not designate permitted sender hosts) X-Yahoo-Newman-Id: [EMAIL PROTECTED] Message-Id: [EMAIL PROTECTED] Domainkey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.co.uk; h=Received:X-YMail-OSG:X-Yahoo-Newman- Property:From:To:Reply-To:Subject:Date:MIME-Version:Content- type:Content-transfer-encoding; b =
No SPF_FAIL flag, why?
This email was received and is very much spam, (February 77% off, Viagra HTML spam), and was sent to this user FROM this user (which they obviously did not spam themselves). What can I do to make the score higher than what it was scored, as well as why didn't the SPF fail? The record for pittershawn.com has an SPF record that clearly states it can only come from 1 IP address. Below is the email in question. Thanks for your help! Return-path: [EMAIL PROTECTED] Envelope-to: [EMAIL PROTECTED] Delivery-date: Tue, 26 Feb 2008 02:52:40 -0600 Received: from mail by mail.eggycrew.com with spam-scanned (Exim 4.67) (envelope-from [EMAIL PROTECTED]) id 1JTvYE-lf-KO for [EMAIL PROTECTED]; Tue, 26 Feb 2008 02:52:40 -0600 X-Spam-Checker-Version: SpamAssassin 3.2.0 (2007-05-01) on server1.eggycrew.com X-Spam-Level: X-Spam-Status: No, score=-0.3 required=5.0 tests=AWL,BAYES_00, HTML_IMAGE_ONLY_28,HTML_MESSAGE,MIME_HTML_ONLY,MISSING_DATE,RDNS_NONE, URIBL_JP_SURBL autolearn=disabled version=3.2.0 Received: from [212.82.194.35] (helo=shavanova) by mail.eggycrew.com with smtp (Exim 4.67) (envelope-from [EMAIL PROTECTED]) id 1JTvYE-lb-31 for [EMAIL PROTECTED]; Tue, 26 Feb 2008 02:52:38 -0600 X-Mailer: CME-V6.5.4.3; MSN Received: (qmail 21081 by uid 536); Tue, 26 Feb 2008 10:38:47 +0200 Message-Id: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: February 77% OFF From: [EMAIL PROTECTED] MIME-Version: 1.0 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Antivirus-ClamAV-Scanner: This message was scanned for viruses and other harmful content on mail.eggycrew.com before being delivered. Date: Tue, 26 Feb 2008 02:52:40 -0600
Re: No SPF_FAIL flag, why?
At 11:02 27-02-2008, Russell Jones wrote: This email was received and is very much spam, (February 77% off, Viagra HTML spam), and was sent to this user FROM this user (which they obviously did not spam themselves). What can I do to make the score higher than what it was scored, as well as why didn't the SPF fail? The record for pittershawn.com has an SPF record that clearly states it can only come from 1 IP address. SPF checks are done on the return-path only and not the address in the From: header. The was a BAYES_00 hit. That is wrong you consider the email as spam. Retrain Bayes. Regards, -sm
[Fwd: Re: No SPF_FAIL flag, why?]
Forgot to put this address in CC. In case anyone is interested in following the convo: Original Message Subject: Re: No SPF_FAIL flag, why? Date: Wed, 27 Feb 2008 13:27:52 -0600 From: Russell Jones [EMAIL PROTECTED] To: SM [EMAIL PROTECTED] References: [EMAIL PROTECTED] [EMAIL PROTECTED] That doesn't make sense. Maybe I am misunderstanding this. From openspf.org: What does SPF actually DO? Suppose a spammer forges a hotmail.com address and tries to spam you. They connect from somewhere other than Hotmail. When his message is sent, you see MAIL FROM: [EMAIL PROTECTED], but you don't have to take his word for it. You can ask Hotmail if the IP address comes from their network. (In this example) Hotmail publishes an SPF record. That record tells you (your computer) how to find out if the sending machine is allowed to send mail from Hotmail. If Hotmail says they recognize the sending machine, it passes, and you can assume the sender is who they say they are. If the message fails SPF tests, it's a forgery. That's how you can tell it's probably a spammer. If what you said is right, why does SPF only look at the return-path address and not the From: address? Nobody pays attention to return-path, they only look at From to see who their mail client says the email address is from. SM wrote: At 11:02 27-02-2008, Russell Jones wrote: This email was received and is very much spam, (February 77% off, Viagra HTML spam), and was sent to this user FROM this user (which they obviously did not spam themselves). What can I do to make the score higher than what it was scored, as well as why didn't the SPF fail? The record for pittershawn.com has an SPF record that clearly states it can only come from 1 IP address. SPF checks are done on the return-path only and not the address in the From: header. The was a BAYES_00 hit. That is wrong you consider the email as spam. Retrain Bayes. Regards, -sm
Re: Quick Postfix Question [OT]
Marc Perkel wrote: It appears that Postfix only does DNS blacklists and not whitelists then. I was going to publish my whitelist and Postfix instructions but I guess I can't do that. That would be a better question for the postfix-users list. Probably the way to do this is with the check_policy_service functionality. The permit action should permit the request. I haven't created my own policy daemon though and so this is an academically derived answer. According to the manual Policy delegation is now the preferred method for adding policies to Postfix. Bob
Re: Quick Postfix Question [OT]
On Wed, Feb 27, 2008 at 2:50 PM, Bob Proulx [EMAIL PROTECTED] wrote: Marc Perkel wrote: It appears that Postfix only does DNS blacklists and not whitelists then. I was going to publish my whitelist and Postfix instructions but I guess I can't do that. That would be a better question for the postfix-users list. Probably the way to do this is with the check_policy_service functionality. The permit action should permit the request. I haven't created my own policy daemon though and so this is an academically derived answer. According to the manual Policy delegation is now the preferred method for adding policies to Postfix. Bob Here's a hacked up version of postfix-policyd that uses the results from the hostkarma rbl. I'm sure it can be improved upon, but it works for me. # postfix-policyd-spf-perl # http://www.openspf.org/Software # version 2.004 # # (C) 2007 Scott Kitterman [EMAIL PROTECTED] # (C) 2007 Julian Mehnle [EMAIL PROTECTED] # (C) 2003-2004 Meng Weng Wong [EMAIL PROTECTED] # #This program is free software; you can redistribute it and/or modify #it under the terms of the GNU General Public License as published by #the Free Software Foundation; either version 2 of the License, or #(at your option) any later version. # #This program is distributed in the hope that it will be useful, #but WITHOUT ANY WARRANTY; without even the implied warranty of #MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the #GNU General Public License for more details. # #You should have received a copy of the GNU General Public License along #with this program; if not, write to the Free Software Foundation, Inc., #51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. # hacked up to query hostkama # by aaron [EMAIL PROTECTED] use strict; use IO::Handle; use IO::Socket; use Sys::Syslog qw(:DEFAULT setlogsock); use NetAddr::IP; use Net::DNS; use Fcntl; require /etc/eps/config.pl; # -- # configuration # -- # Adding more handlers is easy: my @HANDLERS = ( { name = 'hostkarma_lookup', code = \hostkarma_lookup }, ); my $VERBOSE = 0; my $DEFAULT_RESPONSE = 'DUNNO'; # # Syslogging options for verbose mode and for fatal errors. # NOTE: comment out the $syslog_socktype line if syslogging does not # work on your system. # my $syslog_socktype = 'unix'; # inet, unix, stream, console my $syslog_facility = 'mail'; my $syslog_options = 'pid'; my $syslog_ident= 'postfix/hk_lookup'; use constant localhost_addresses = map( NetAddr::IP-new($_), qw( 127.0.0.0/8 :::127.0.0.0/104 ::1 ) ); # Does Postfix ever say client_address=:::ipv4-address? use constant relay_addresses = map( NetAddr::IP-new($_), qw( 69.13.218.0/25 72.35.73.193/32 ) ); # add addresses to qw ( ) above separated by spaces using CIDR notation. my %results_cache; # by message instance my $dns = Net::DNS::Resolver-new; # -- # initialization # -- # # Log an error and abort. # sub fatal_exit { syslog(err = fatal_exit: @_); syslog(warning = fatal_exit: @_); syslog(info= fatal_exit: @_); die(fatal: @_); } # # Unbuffer standard output. # STDOUT-autoflush(1); # # This process runs as a daemon, so it can't log to a terminal. Use # syslog so that people can actually see our messages. # setlogsock($syslog_socktype); openlog($syslog_ident, $syslog_options, $syslog_facility); # -- # main # -- # # Receive a bunch of attributes, evaluate the policy, send the result. # my %attr; while (STDIN) { chomp; if (/=/) { my ($key, $value) =split (/=/, $_, 2); $attr{$key} = $value; next; } elsif (length) { syslog(warning = sprintf(warning: ignoring garbage: %.100s, $_)); next; } if ($VERBOSE) { for (sort keys %attr) { syslog(debug = Attribute: %s=%s, $_, $attr{$_}); } } my $message_instance = $attr{instance}; my $cache = defined($message_instance) ? $results_cache{$message_instance} ||= {} : {}; my $action = $DEFAULT_RESPONSE; foreach my $handler (@HANDLERS) { my $handler_name = $handler-{name}; my $handler_code = $handler-{code}; my $response = $handler_code-(attr = \%attr, cache = $cache); if ($VERBOSE) { syslog(debug = handler %s: %s, $handler_name, $response); } # Pick whatever response is not 'DUNNO' if ($response and $response !~ /^DUNNO/i) { # syslog(info = handler %s: is decisive.,
Re: Quick Postfix Question [OT]
On Wed, Feb 27, 2008 at 3:12 PM, Henrik K [EMAIL PROTECTED] wrote: On Wed, Feb 27, 2008 at 03:00:49PM -0500, Aaron Wolfe wrote: On Wed, Feb 27, 2008 at 2:50 PM, Bob Proulx [EMAIL PROTECTED] wrote: Marc Perkel wrote: It appears that Postfix only does DNS blacklists and not whitelists then. I was going to publish my whitelist and Postfix instructions but I guess I can't do that. That would be a better question for the postfix-users list. Probably the way to do this is with the check_policy_service functionality. The permit action should permit the request. I haven't created my own policy daemon though and so this is an academically derived answer. According to the manual Policy delegation is now the preferred method for adding policies to Postfix. Bob Here's a hacked up version of postfix-policyd that uses the results from the hostkarma rbl. I'm sure it can be improved upon, but it works for me. I'm sure that works, but I seriously recommend postfwd: http://postfwd.org/ You can easily use a config like: rbl=hostkarma.junkemailfilter.com/127.0.0.1; action=OK whitelisted rbl=hostkarma.junkemailfilter.com/127.0.0.2; action=REJECT blacklisted rbl=hostkarma.junkemailfilter.com/127.0.0.3; action=PREPEND X-Karma: yellow .. among many other things that are possible. after looking at postfwd for only a few minutes, I have to agree.. don't use my messy code, use postfwd! I will be soon. -Aaron
new google trick: docs
They look like this: http://docs.google.com/doc?id=MUNGED_MUNGED I'm not sure if the id is personally identifiable, so MUNGED both halves of it. I've only seen two so far, and haven't visited either (again, due to the potential PII - both samples were from other people). Very little else stands out about them (other than very low default SA ruleset scores - both were caught by supplementary nation-of-origin tests). Of potential interest is that the From and To followed this pattern: account [EMAIL PROTECTED] account [EMAIL PROTECTED] Which should rarely occur in Ham, and should be easily rule-writeable. I've added doc to my list of tokens that are word matched in my own battery of anti Google Tricks tests. Hmmm... I wonder if it would be more productive to come up with a rule that triggers on _ANY_ unusual params in a Google url? In other words, enumerate the legit ones, and score all others. The only legit form of pre-emptive strike is the kind against spammers (IMO). :) - Chip
Re: cannot open bayes databases Interrupted system call
I'll give this a shot. thanks Matt Kettler wrote: Mike Fahey wrote: This page specifically uses /etc/mail/spamassassin. Yeah, I read that the first time. It is wrong. In fact, I'd say it's stupid. I'll go edit the wiki article when I get a chance, but I want to have some time to really sit down and do an extensive rewrite there. There's a lot of facts that should be there, which aren't. If nothing else, there needs to be NO OTHER FILES starting with bayes in your /etc/mail/spamassassin for that to work! If you've got a bayes_rescore.cf in there, you're going to break. Also, /etc/ isn't intended to store data that changes constantly. It is completely contrary to the Unix philosophy to store a database here. Therefore, using all possible strength, and all possible expertise that my position as a member of the SpamAssassin Project Management Committee conveys, I strongly advise not following the advice of that wiki article. At least as far as using bayes_path /etc/mail/spamassassin/bayes. I believe its hardware related, as other machines work fine. It could be rights related.. what are the permissions on /etc/mail/spamassassin/? Is it world rwx (dangerous!)? It could also be related to a file starting with bayes in there that's not a part of the bayes DB.. ls /etc/mail/spamassassin/bayes* Is there anything but bayes_seen, bayes_toks and bayes_journal? Does anyone else have any tweaks for global bayes ? Yeah, put it in its own directory, and not in /etc/.
Re: new google trick: docs
On Wed, Feb 27, 2008 at 02:38:50PM -0600, Chip M. wrote: They look like this: http://docs.google.com/doc?id=MUNGED_MUNGED I've added doc to my list of tokens that are word matched in my own battery of anti Google Tricks tests. What's the trick here? Looks like a normal docs URL to me. Hmmm... I wonder if it would be more productive to come up with a rule that triggers on _ANY_ unusual params in a Google url? In other words, enumerate the legit ones, and score all others. There's nothing unusual in the URL quoted. YMMV, of course, but I use Google Docs *all the time*, so see a lot of docs.google.com and spreadsheets.google.com URLs. If someone is abusing the docs system and spamming people that way, report them to Google. -- Randomly Selected Tagline: A leader leads from in front, by the power of example. A ruler pushes from behind, by means of the club, the whip, the power of fear. - Edward Abbey pgpI3M1jILRdr.pgp Description: PGP signature
Re: No SPF_FAIL flag, why?
At 11:27 27-02-2008, Russell Jones wrote: That doesn't make sense. Maybe I am misunderstanding this. From openspf.org: What does SPF actually DO? Suppose a spammer forges a hotmail.com address and tries to spam you. They connect from somewhere other than Hotmail. When his message is sent, you see MAIL FROM: mailto:[EMAIL PROTECTED][EMAIL PROTECTED], but you don't have to take his word for it. You can ask Hotmail if the IP address comes from their network. That's the return-path. If what you said is right, why does SPF only look at the return-path address and not the From: address? Nobody pays attention to return-path, they only look at From to see who their mail client says the email address is from. If SPF was set to look up the address in the From: header, messages you send through this mailing list would be rejected as they don't come from your mail server. Regards, -sm
Re: [Fwd: Re: No SPF_FAIL flag, why?]
That doesn't make sense. Maybe I am misunderstanding this. From openspf.org: What does SPF actually DO? Suppose a spammer forges a hotmail.com address and tries to spam you. They connect from somewhere other than Hotmail. When his message is sent, you see MAIL FROM: [EMAIL PROTECTED], but you don't have to take his word for it. You can ask Hotmail if the IP address comes from their network. The MTA never really sees whats in the headers. It only adds to the headers. When an SMTP connection first begins the connecting MTA says helo this [EMAIL PROTECTED] Thats what SPF looks at. The MTA then adds that as the return path to the headers. Return-path: [EMAIL PROTECTED] That return path looks flaky. I would think spamassassin would have some way of since its not a valid domain consider it suspect. Not sure though. Matt
Re: new google trick: docs
On Wed, 27 Feb 2008, Theo Van Dinter wrote: What's the trick here? Looks like a normal docs URL to me. Poor terminology on my part. I am Only An Egg. :) Is exploit a more correct term? I meant that this is the latest way that spammers are taking advantage of the trusting attitude most folks have towards a Google link. A brief search shows this actually started at least a month ago: http://chris.pirillo.com/2007/01/16/google-docs-spam/ My two URL samples were very similar to the four listed there. There's nothing unusual in the URL quoted. This would be my ignorance showing (as I hinted in my previous post). I have no personal experience with Google Docs. Perhaps you (or anyone) would provide some samples of what legit ones look like? Possibly the legit ones have a significantly different pattern, which would assist in rule writing. Based on what you've said, my gut feeling is this is one of the spammers' best tricks, um... exploits. Fighting it is (potentially) harder than blocking Blogspot, because it appears there is no unique owner ID, so they can generate new unique URLs with ease. Please enlighten me if this isn't so. YMMV, of course, but I use Google Docs *all the time*, so see a lot of docs.google.com and spreadsheets.google.com URLs VERY interesting! So, in a sense, this is one of the few (only?) spammer exploits of Google that would hit Nerds in addition to Normals? I sent my new rule off just to my non-Nerd users to run MassChecks - thanks to your heads-up, I'll ask my Nerds to MC too. That's what I love about this list - there's usually someone who has some expert knowledge on the matter at hand. :) If someone is abusing the docs system and spamming people that way, report them to Google. I commend your optimism. :) - Chip P.S. After a slow start, Uribl's fan-tastic new subsite listings are producing excellent results. We auto-quarantine all Blogspot, Geocities, etc emails, then re-run Uribl a few hours later, and are averaging about a 75% to 95% hit rate! Pretty good for such a new project. :)
Re: yahoo.co.uk
On Wed, 27 Feb 2008, JP Kelly wrote: it seems like they could/should be caught but they often have very low scores. they all have yahoo.co.uk in the from address In and of itself, yahoo.co.uk in the From isn't too helpful, unless you know you'll never get anything legit from there, then you could write a rule for it. The main thing that stands out (to me) is the China TLD in the URL. We block all those on sight (unless they're in the recipient's domain skip list - so far, none of my users have any China TLDs in theirs). Perhaps one of the regex gurus will whip you up a rule. :) Is there anything else that stands out in these? - Chip
Re: new google trick: docs
In article [EMAIL PROTECTED], Chip M. [EMAIL PROTECTED] writes A brief search shows this actually started at least a month ago: http://chris.pirillo.com/2007/01/16/google-docs-spam/ Erm, that's from 13 months ago :-) Kevin
Re: SA trusts all hosts as soon as IPv6 is enabled? (was Re: AWL problem. Assigning very low scores to spam.)
On Tue, Feb 26, 2008 at 19:13 -0500, Daryl C. W. O'Shea wrote: [...] If you or your company would like to fund the development of it, I'm willing to prioritize the work. Seriously. Otherwise, should have by now does not apply to free software. Especially free software that is easily monetized by its users. If the lack of a feature you want doesn't bother anyone else enough to implement it the only one you can expect to dedicate time or resources to the work is yourself. As I said before, I'm only a stupid user and have no commercial interest in SA. -- I did however produce a simple workaround patch and sent it to this list already. In the case of IPv6 (in SA), none of us have had the need for it ourselves or perceived the need of it by enough users being greater than the need for other things we've spent our time on instead. The problem here is not the missing of IPv6 support, but the fact that it makes SA trust random headers. CU, Sec -- perl -le 's,us(?=r),he,,print if (($_=qq/(*_=*\047)=~y#!perl -e hk #rJust -`neocheat#,*_; $^X hacker!/)=~s.*;;($_=$)=~y~*~$~,$_;ee)'
Re: Reduce the spam score
On 27/02/2008 6:18 PM, Asif Iqbal wrote: What is short of putting the sender email to white list to reduce the score of this email. It is a valid email. Here is the report As presented to SpamAssassin, it was not a valid email. It had no headers. Daryl X-Spam-Flag: YES X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on qmail.home.net X-Spam-Level: ** X-Spam-Status: Yes, score=6.4 required=5.0 tests=BAYES_00,MISSING_DATE, MISSING_HB_SEP,MISSING_HEADERS,MISSING_MID,MISSING_SUBJECT,SARE_GIF_ATTACH, SARE_RMML_Stock9,TW_BF,TW_FW,TW_FZ,TW_GJ,TW_GK,TW_GM,TW_GN,TW_GQ,TW_HX,TW_KD, TW_KG,TW_KK,TW_LR,TW_NB,TW_NR,TW_SG,TW_TN,TW_TX,TW_VF,TW_VP,TW_VX,TW_WB,TW_WG, TW_WX,TW_XC,UNPARSEABLE_RELAY autolearn=no version=3.2.3 X-Spam-Report: * 0.0 MISSING_MID Missing Message-Id: header * 0.0 MISSING_DATE Missing Date: header * 2.5 MISSING_HB_SEP Missing blank line between message header and body * 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines * 1.3 MISSING_HEADERS Missing To: header * 0.1 TW_XC BODY: Odd Letter Triples with XC * 0.1 TW_KK BODY: Odd Letter Triples with KK * 0.1 TW_GN BODY: Odd Letter Triples with GN * 0.1 TW_BF BODY: Odd Letter Triples with BF * 0.1 TW_GQ BODY: Odd Letter Triples with GQ * 0.1 TW_TN BODY: Odd Letter Triples with TN * 0.1 TW_NB BODY: Odd Letter Triples with NB * 0.1 TW_GJ BODY: Odd Letter Triples with GJ * 0.1 TW_VX BODY: Odd Letter Triples with VX * 0.1 TW_NR BODY: Odd Letter Triples with NR * 0.1 TW_KG BODY: Odd Letter Triples with KG * 0.1 TW_GM BODY: Odd Letter Triples with GM * 0.1 SARE_RMML_Stock9 BODY: SARE_RMML_Stock9 * 0.1 TW_WG BODY: Odd Letter Triples with WG * 0.1 TW_HX BODY: Odd Letter Triples with HX * 0.1 TW_TX BODY: Odd Letter Triples with TX * 0.1 TW_KD BODY: Odd Letter Triples with KD * 0.1 TW_WX BODY: Odd Letter Triples with WX * 0.1 TW_VP BODY: Odd Letter Triples with VP * 0.1 TW_LR BODY: Odd Letter Triples with LR * 0.1 TW_FZ BODY: Odd Letter Triples with FZ * 0.1 TW_FW BODY: Odd Letter Triples with FW * 0.1 TW_VF BODY: Odd Letter Triples with VF * 0.1 TW_SG BODY: Odd Letter Triples with SG * 0.1 TW_GK BODY: Odd Letter Triples with GK * 0.1 TW_WB BODY: Odd Letter Triples with WB * -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% * [score: 0.] * 1.4 SARE_GIF_ATTACH FULL: Email has a inline gif * 1.8 MISSING_SUBJECT Missing Subject: header
Re: [Fwd: Re: No SPF_FAIL flag, why?]
On Wed, 27 Feb 2008, Matt wrote: The MTA never really sees whats in the headers. It only adds to the headers. When an SMTP connection first begins the connecting MTA says helo this [EMAIL PROTECTED] Thats what SPF looks at. The MTA then adds that as the return path to the headers. Actually there is a HELO hostname.domain field and then the RECPT FROM: [EMAIL PROTECTED] field. Both can be tested with SPF but it is the second (AKA envelope-from) which results in the Return-path header Return-path: [EMAIL PROTECTED] That return path looks flaky. I would think spamassassin would have some way of since its not a valid domain consider it suspect. Not sure though. If that accuratly represents the messages's envelope-from address then the OP has a problem at the MTA level. The MTA should do the most basic validation of the envelope-from (make sure that the domain name represents a valid domain via DNS). In that case the message should have been blocked at the MTA and never even made it to SA. -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
Re: Reduce the spam score
On Wed, 27 Feb 2008, Asif Iqbal wrote: What is short of putting the sender email to white list to reduce the score of this email. It is a valid email. Here is the report * 0.1 TW_XC BODY: Odd Letter Triples with XC * 0.1 TW_KK BODY: Odd Letter Triples with KK * 0.1 TW_GN BODY: Odd Letter Triples with GN * 0.1 TW_BF BODY: Odd Letter Triples with BF * 0.1 TW_GQ BODY: Odd Letter Triples with GQ * 0.1 TW_TN BODY: Odd Letter Triples with TN * 0.1 TW_NB BODY: Odd Letter Triples with NB * 0.1 TW_GJ BODY: Odd Letter Triples with GJ * 0.1 TW_VX BODY: Odd Letter Triples with VX * 0.1 TW_NR BODY: Odd Letter Triples with NR * 0.1 TW_KG BODY: Odd Letter Triples with KG * 0.1 TW_GM BODY: Odd Letter Triples with GM * 0.1 TW_WG BODY: Odd Letter Triples with WG * 0.1 TW_HX BODY: Odd Letter Triples with HX * 0.1 TW_TX BODY: Odd Letter Triples with TX * 0.1 TW_KD BODY: Odd Letter Triples with KD * 0.1 TW_WX BODY: Odd Letter Triples with WX * 0.1 TW_VP BODY: Odd Letter Triples with VP * 0.1 TW_LR BODY: Odd Letter Triples with LR * 0.1 TW_FZ BODY: Odd Letter Triples with FZ * 0.1 TW_FW BODY: Odd Letter Triples with FW * 0.1 TW_VF BODY: Odd Letter Triples with VF * 0.1 TW_SG BODY: Odd Letter Triples with SG * 0.1 TW_GK BODY: Odd Letter Triples with GK * 0.1 TW_WB BODY: Odd Letter Triples with WB Those rules may not work well with non-english languages. If they don't detect real spam well for you, you may want to stop using them. * -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% * [score: 0.] You might want to make BAYES_00 score a little stronger (-3.0 or -4.0 maybe). -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Your mouse has moved. Your Windows Operating System must be relicensed due to this hardware change. Please contact Microsoft to obtain a new activation key. If this hardware change results in added functionality you may be subject to additional license fees. Your system will now shut down. Thank you for choosing Microsoft. --- 15 days until Albert Einstein's 129th Birthday
Re: [Fwd: Re: No SPF_FAIL flag, why?]
It is completely accurate and copied and pasted from the message file itself. I am running Exim. What configuration should I be looking at on how to block messages with return paths like that? Dave Funk wrote: On Wed, 27 Feb 2008, Matt wrote: The MTA never really sees whats in the headers. It only adds to the headers. When an SMTP connection first begins the connecting MTA says helo this [EMAIL PROTECTED] Thats what SPF looks at. The MTA then adds that as the return path to the headers. Actually there is a HELO hostname.domain field and then the RECPT FROM: [EMAIL PROTECTED] field. Both can be tested with SPF but it is the second (AKA envelope-from) which results in the Return-path header Return-path: [EMAIL PROTECTED] That return path looks flaky. I would think spamassassin would have some way of since its not a valid domain consider it suspect. Not sure though. If that accuratly represents the messages's envelope-from address then the OP has a problem at the MTA level. The MTA should do the most basic validation of the envelope-from (make sure that the domain name represents a valid domain via DNS). In that case the message should have been blocked at the MTA and never even made it to SA.
Re: Reduce the spam score
Daryl C. W. O'Shea wrote: On 27/02/2008 6:18 PM, Asif Iqbal wrote: What is short of putting the sender email to white list to reduce the score of this email. It is a valid email. Here is the report As presented to SpamAssassin, it was not a valid email. It had no headers. Daryl Also, as presented to SpamAssassin, the body text has some really strange letter combinations, as is evidenced by the heavy hits of the TW_* rules from the tripwire add-on ruleset. This could be one of two causes: 1) there was a mime attachment, but due to lack of headers, SA didn't realize it was a mime message, and interpreted it as text. 2) the email isn't english. Tripwire is somewhat English-language centric and I would not advise using this add-on in a non-English environment. However, I would say the problem Daryl pointed out is more important. SA didn't see a Subject: Date: or Message-ID: header. It also didn't find a blank line between what appears to be the start of the body. This leads me to suspect there's a mis-wrapped header or header with invalid charachters in the name somewhere in your header block, and SA is assuming that the body starts right there. One common mistake is to have a header name with a space in it.. ie: My Header: something is invalid and will confuse the parser.