Re: office rule

[ram]

On Wed, 2008-04-02 at 10:23 -0700, Kelson wrote:
> ram wrote:
> > header __FROMOFFICE From  =~/office/i
> > header __SUBOFFICE  Subject  =~/office/i
> > 
> > meta OFFICERULE (__FROMOFFICE || __SUBOFFICE )
> > score OFFICERULE 4.0
> 
> And don't forget to add word boundaries.  You probably don't want it 
> matching on "officer"
> 
> header __FROMOFFICE From  =~/\boffice\b/i
> header __SUBOFFICE  Subject  =~/\boffice\b/i
> 

For subject , yes 
But I think we should not check word boundary on the from. How about the
typical 419 , we are all sick of 

From: Claimsagent <[EMAIL PROTECTED]>

I assume the OP wants to target these

Re: can we make AWL ignore mail from self to self?

[Bob Proulx]

Jo Rhett wrote:
> Bob Proulx wrote:
> >I disagree with the premise that it is hard to forge mail from someone
> >you correspond with frequently.  It is equally easy to forge.
> 
> Easy to forge, but who to forge?  Hard for a spammer to know who I  
> correspond with frequently.  Myself is the only one a spammer could  
> guess.

Who to forge?  The answer is "Everyone!"  Any address that can be
obtained from a spam-virus infected PC and any address that can be
harvested from a web page.  Forge them all.  They are (mostly) valid
email addresses and will pass sender verification.  Send To: and From:
all of them.

Bob

Re: can we make AWL ignore mail from self to self?

[John Hardin]

On Wed, 2 Apr 2008, Jo Rhett wrote:


On Apr 1, 2008, at 4:03 PM, John Hardin wrote:

If you don't scan mails that you know originated from you, then
they won't affect AWL for a forged message...


Sorry, I'm not going to disable virus and bot protection just to avoid a 
mis-feature in another module.


Since when is SA an antivirus tool?

I'm only suggesting bypassing SA for mail that originates on the local 
network and is destined to the local network.



The right answer is a fix in the module.


I don't disagree. However, it's not the only way to address the problem.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The difference between ignorance and stupidity is that the stupid
  desire to remain ignorant. -- Jim Bacon
---
 11 days until Thomas Jefferson's 265th Birthday

Re: Dramatic increase in bounce messages to forged addresses

[mouss]

Jo Rhett wrote:

On Apr 2, 2008, at 12:34 PM, mouss wrote:
no tuning on your side will help solving problems at the other side. 
For example, I found that hotmail cache the value


Yes, they cache the results of that DNS query for exactly how long you 
tell them to. 


This is not my observation. After moving the MTA to another box, hotmail 
started discarding mail. testing for more than two weeks didn't change 
anything. I never sat up a TTL of two weeks.


I have already seen "abusive" dns cache at large sites. this is why I 
suspect this was a cache issue. but I may be wrong. Anyway, other broken 
spf implementations/setups were reported. so I am not very confident...



If you want the SPF record cached less, reduce the TTL on that record.



I don't remember, but I think it was 12 or 24 hours. that's less than 2 
weeks even counting jet lag around the globe.

Re: Dramatic increase in bounce messages to forged addresses

[Jo Rhett]

On Apr 2, 2008, at 12:34 PM, mouss wrote:
no tuning on your side will help solving problems at the other  
side. For example, I found that hotmail cache the value


Yes, they cache the results of that DNS query for exactly how long  
you tell them to.   If you want the SPF record cached less, reduce  
the TTL on that record.


--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source  
and other randomness

Re: can we make AWL ignore mail from self to self?

[Jo Rhett]

On Apr 1, 2008, at 5:46 PM, Benny Pedersen wrote:

What I am pointing out is that AWL should not be used for
mail from self to self, because this is an easy forgery.


explain why its a problem when awl logs ip

AWL counts on the spammer not being able to forge someone you  
correspond

with normally.


so problem is that awl tracks /16 with is mostly to wide ?
will problem be solved if it was /32 ?


The answer to these questions is "I don't know".  It's not clear to  
me how spamassassin deals with SMTP AUTH messages from localhost.  It  
appears that in some situations SA skips the first Received header  
and goes to the previous one.  That's why I asked the question about  
which IP is used.



This is usually true, but forging your own address is trivial.


yep, but ip should still limit the problem very much


I agree.

--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source  
and other randomness

Re: can we make AWL ignore mail from self to self?

[Jo Rhett]

On Apr 1, 2008, at 4:03 PM, John Hardin wrote:
If you don't scan mails that you know originated from you, then  
they won't affect AWL for a forged message...


Sorry, I'm not going to disable virus and bot protection just to  
avoid a mis-feature in another module.


The right answer is a fix in the module.

--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source  
and other randomness

Re: can we make AWL ignore mail from self to self?

[Jo Rhett]

I'm not worried about mail from self to self.  I'm annoying because
AWL is decreasing forged spam score so far that the SPF failure
doesn't catch.


On Apr 1, 2008, at 3:14 PM, Benny Pedersen wrote:

INSERT INTO `awl` VALUES('amavis', '[EMAIL PROTECTED]', '80.166', 4, -14,
'2008-04-02 00:02:15');
INSERT INTO `awl` VALUES('amavis', '[EMAIL PROTECTED]', 'none', 1, -8.5,  
'2008-04-01

23:55:23');

it seems it works here, none is when its sent from localhost,  
80.166 is when

sent outside localhost, so problem is ?


Sorry, I don't understand your question.

I also don't see the value in having every possible mail account need  
a setting like this manually inserted.  That's why I'm asking about a  
fix in the module...


--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source  
and other randomness

Re: can we make AWL ignore mail from self to self?

[Jo Rhett]

On Apr 1, 2008, at 3:14 PM, Justin Mason wrote:

Sorry, I don't the original messages any more.  (I looked) But it
wouldn't surprise me if the /16 matched.  The mail I send myself is
usually from Wifi or my phone carrier's GSM network, but accepted via
SMTP AUTH on the local machine.  So which address are you using?


hmm, I'm not sure.  It depends on your trusted_networks setting.
try running "spamassassin -D" and see what it logs...


I'm sorry -- feeling dense, how is this supposed to help?  From the  
headers quoted below you know what spamassassin is seeing.  There's  
nothing in trusted networks, I don't trust anything...



Here's an example.

Return-Path: <[EMAIL PROTECTED]>
Received: from mail.netconsonance.com ([unix socket])
 by triceratops.netconsonance.com (Cyrus v2.3.9) with LMTPA;
 Tue, 01 Apr 2008 13:14:34 -0700
X-Sieve: CMU Sieve 2.3
Received: from [10.178.18.103] (m4a0e36d0.tmodns.net [208.54.14.74])
(authenticated bits=0)
	by mail.netconsonance.com (8.14.1/8.14.1) with ESMTP id  
m31KE4ui014296

for <[EMAIL PROTECTED]>; Tue, 1 Apr 2008 13:14:27 -0700 (PDT)
(envelope-from [EMAIL PROTECTED])
X-Virus-Scanned: amavisd-new at netconsonance.com
X-Spam-Flag: NO
X-Spam-Score: -0.72
X-Spam-Level:
X-Spam-Status: No, score=-0.72 tagged_above=-999 required=3.8
tests=[ALL_TRUSTED=-1.44, AWL=0.720]
From: "Jo Rhett" <[EMAIL PROTECTED]>
Subject: test awl
Date: 01 Apr 2008 13:14:00 -0700
To: <[EMAIL PROTECTED]>
X-Mailer: ChatterEmail+ for Treo 6xx/700p (3.0.8)
Message-ID:<[EMAIL PROTECTED]>


--
from the cell phone of Jo Rhett
Network/Software Engineer
Network Consonance



--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source
and other randomness


--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source  
and other randomness

Re: can we make AWL ignore mail from self to self?

[Jo Rhett]

On Apr 1, 2008, at 3:00 PM, Bob Proulx wrote:

I have never been fond of AWL because the information it relies upon,
the mail headers, is very easy to forge.  It depends too much upon


Yes, but they have to know who to forge.  Anyway, I'm not debating  
its merits.  It works very, very well in our experience.  Except for  
this one situation.



What I am pointing out is that AWL should not be used for mail from
self to self, because this is an easy forgery.


It is all very easy to forge.  But self to self is very easy for the
recipient to spot as a forgery.  (Unless they have a short memory and
are very gullible. :-)


Not guillable, but don't want to get an obvious spam in my mailbox.   
SA knew it was spammy, but the AWL discounted the score.



I disagree with the premise that it is hard to forge mail from someone
you correspond with frequently.  It is equally easy to forge.


Easy to forge, but who to forge?  Hard for a spammer to know who I  
correspond with frequently.  Myself is the only one a spammer could  
guess.


Again, not debating its merits just the implementation.
--
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source  
and other randomness

RE: spamassassin lint warnings

[Michael Hutchinson]

> -Original Message-
> From: Rodney Green [mailto:[EMAIL PROTECTED]
> Sent: Thursday, 3 April 2008 12:35 a.m.
> To: users@spamassassin.apache.org
> Subject: Re: spamassassin lint warnings
> 
> Thanks Mike. However, I'm getting the same warnings for a majority of
> the .cf files in /var/lib/spamassassin/3.002004 and
> /etc/mail/spamassassin, not just the two files referenced in my
> original e-mail.
> 
> Rod

Hello, Rod

Sorry I seem to have missed the part before about your
/etc/mail/spamassassin files doing it as well, I was originally thinking
something went wrong with your updating system. But no, if your original
SA files are doing it too, something else is afoot.

Unfortunately, I don't know what. 

I would start questioning S.A's dependencies, ie: Perl modules. I had a
lot of problems when I was installing these via CPAN, and had to go get
the packages and install them manually. It might be worth checking the
dependency requirements of S.A for Perl modules, and making sure you're
up-to-date. 

It might also be a broader issue with Perl itself, although that is a
lot less likely. Are you running the required version of Perl for the
S.A version you are running? 

Hopefully someone with better experience than I have in this will pickup
the discussion and help too ;)

Cheers,
Mike

Re: Logging

[James Wilkinson]

Skip wrote:
> I am on a linux, shared hosting site (Bluehost.com).  I don't 
> know how I can get it into the startup script for that box, and I only have 
> access to my own home directory.  That may be a showstopper right there.  
> I'll have no way of knowing when they reboot the box.

Earlier, Matt Kettler wrote:
> Running from cron is only for things you want to run 
> at regular intervals. It is not a valid way for starting daemons (ie: 
> something you want to run once and leave running)

Actually, something like this (from man 5 crontab on Fedora 8) might be
relevant:

   These special  time  specification  "nicknames"  are  supported, which
   replace the 5 initial time and date fields, and are prefixed by the 
[EMAIL PROTECTED]
   character:
   @reboot:Run once, at startup.

Skip may have permissions to edit his own crontab (with the crontab
command) and set a daemon going at reboot time.

There may be CPU time quota constraints, of course.

Hope this helps,

James.

-- 
E-mail: james@ |"Just for once, I wish we would encounter an alien
aprilcottage.co.uk | menace that wasn't immune to bullets..."
   | -- The Brigadier, 'Doctor Who'

Re: Help for Bed-n-Breakfast in Brasil

[Martin Gregorie]

On Wed, 2008-04-02 at 21:03, mouss wrote:
> He is apparently relaying via k2smtpout06-01.prod.mesa1.secureserver.net 
> which looks like an "official" godaddy server.
>
In that case I'm confused: I thought his problem was described as being
due his MTA sending mail from a residential block of IPs. 

The message I'm replying to came through
smtp01-02.prod.mesa1.secureserver.net on its way here. I'd would not
expect any of secureserver.net's outgoing MTAs to be blacklisted. They
evidently supply domain hosting and mail forwarding services to a number
of domain registrars: my registrar is not GoDaddy and is not AFAIK
associated with them.

Martin

Re: Help for Bed-n-Breakfast in Brasil

[mouss]

Martin Gregorie wrote:

[snip]
I use secureserver.net to host my domain name and I also run my own MTA.
I don't suffer from this problem, so if he rearranges his setup so it is
similar to mine the chances are the problem will go away.

As I said, Secureserver.net is my domain host. Apart from having the
definitive DNS records it does just two things for me: 
- it forwards e-mail to my ISP's mail server

- it forwards web requests to my website host.

I run Postfix as my MTA. Its configured to forward all outgoing mail to
my ISP's mail server with a 'relay_host' directive. Other MTAs will
probably have equivalent rules available. This way my sending IP doesn't
appear in dynamic/residential blacklists. 


He could try a similar setup fairly easily. My guess is that he's using
the same system as me to receive mail but is failing to direct outgoing
mail through his ISP's MTA.
   


He is apparently relaying via k2smtpout06-01.prod.mesa1.secureserver.net 
which looks like an "official" godaddy server.

Re: Help for Bed-n-Breakfast in Brasil

[Martin Gregorie]

On Wed, 2008-04-02 at 16:27, mouss wrote:
> Joseph Brennan wrote:
> >
> >
> > --On Wednesday, April 2, 2008 2:45 -0700 Loren Wilton 
> > <[EMAIL PROTECTED]> wrote:
> >
> >> Received: from k2smtpout06-01.prod.mesa1.secureserver.net
> >> ([64.202.189.102])
> >>  by mx-pigeons.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id
> >> 1jGWCE6yu3Nl34g0
> >>  for <[EMAIL PROTECTED]>; Wed, 2 Apr 2008 02:39:00 -0400 (EDT)
> >> Received: (qmail 12925 invoked from network); 2 Apr 2008 06:39:00 -
> >> Received: from unknown (HELO Pousada.com.br.secureserver.net)
> >> (72.167.52.118)
> >>   by k2smtpout06-01.prod.mesa1.secureserver.net (64.202.189.102) with
> >> ESMTP; 02 Apr 2008 06:39:00 -
> >
> >
> > Let me play dumb, because I don't understand the problem here.
> >
> > It looks to me like dynamic 72.167.52.118 submitted mail to its smtp
> > server 64.202.189.102.  Why is that bad?
> >
> >
> 
> My understanding is that his server _is_ 72.167.52.118. his From 
> indicates pousada.com.br:
> $ host -t mx pousada.com.br
> pousada.com.br mail is handled by 10 mail.pousada.com.br.
> $ host mail.pousada.com.br
> mail.pousada.com.br has address 72.167.52.118
> 
> so he has a generic rDNS:
> $ host 72.167.52.118
> 118.52.167.72.in-addr.arpa domain name pointer 
> ip-72-167-52-118.ip.secureserver.net
> 
> and this will cause delivery problems nowadays.
> 
> In addition, his server helos with Pousada.com.br.secureserver.net which 
> does not resolve.
> 
> and
> $ telnet 72.167.52.118 25
> ...
> 220 Pousada.com.br.secureserver.net ESMTP
> 
> so the hostname in the banner seems to be another one:
> $ host Pousada.com.br.secureserver.net
> Host Pousada.com.br.secureserver.net not found: 3(NXDOMAIN)
> 
I use secureserver.net to host my domain name and I also run my own MTA.
I don't suffer from this problem, so if he rearranges his setup so it is
similar to mine the chances are the problem will go away.

As I said, Secureserver.net is my domain host. Apart from having the
definitive DNS records it does just two things for me: 
- it forwards e-mail to my ISP's mail server
- it forwards web requests to my website host.

I run Postfix as my MTA. Its configured to forward all outgoing mail to
my ISP's mail server with a 'relay_host' directive. Other MTAs will
probably have equivalent rules available. This way my sending IP doesn't
appear in dynamic/residential blacklists. 

He could try a similar setup fairly easily. My guess is that he's using
the same system as me to receive mail but is failing to direct outgoing
mail through his ISP's MTA.
   
Martin

Re: Dramatic increase in bounce messages to forged addresses

[mouss]

Martin Gregorie wrote:

On Wed, 2008-04-02 at 10:08, Justin Mason wrote:
  

John Hardin writes:


On Tue, 1 Apr 2008, William Terry wrote:

  

Is there anything I can do to mitigate this?


Do you publish SPF records?
  

Logically this should have an effect, but in real-world terms, it doesn't.
So don't worry about it.



SPF has worked well for me, but it has to be set up right.
Use http://www.kitterman.com/spf/validate.html to define and test your
SPF record.
  


no tuning on your side will help solving problems at the other side. For 
example, I found that hotmail cache the value and if you add an 
authroized MTA, it won't be accepted (hotmail silently discarded mail 
from the new MTA, so I had to relay hotmail mail using the old MTA). I 
suspect there are other brokerage out there, and this doesn't encourage 
me to setup SPF records anymore...


Problems are better solved at the source. we hope that misconfigured 
sites will be informed and will fix their setup. If not, blacklisting 
seems to be the only way (as even filtering isn't effective since some 
NDRs do not contain enough information).


Anyone knows if backscatterer.org list is safe? If so, one can reject 
mail if the envelope sender is empty and the client is listed there.

Re: Dramatic increase in bounce messages to forged addresses

[Martin Gregorie]

On Wed, 2008-04-02 at 10:08, Justin Mason wrote:
> John Hardin writes:
> > On Tue, 1 Apr 2008, William Terry wrote:
> > 
> > > Is there anything I can do to mitigate this?
> > 
> > Do you publish SPF records?
> 
> Logically this should have an effect, but in real-world terms, it doesn't.
> So don't worry about it.
> 
SPF has worked well for me, but it has to be set up right.
Use http://www.kitterman.com/spf/validate.html to define and test your
SPF record.

Martin

Re: office rule

[Kelson]

ram wrote:

header __FROMOFFICE From  =~/office/i
header __SUBOFFICE  Subject  =~/office/i

meta OFFICERULE (__FROMOFFICE || __SUBOFFICE )
score OFFICERULE 4.0


And don't forget to add word boundaries.  You probably don't want it 
matching on "officer"


header __FROMOFFICE From  =~/\boffice\b/i
header __SUBOFFICE  Subject  =~/\boffice\b/i

--
Kelson Vibber
SpeedGate Communications 

Re: purge byes in sql

[Ken Menzel]

Hi Miguel, 
I run /usr/local/bin/sa-learn --force-expire daily with MySQL and it 
works fine.


Here is an excellent slide show on use SQL with SA: 
http://people.apache.org/~parker/presentations/MO13slides.pdf


You may also find these SQL queries helpful,  I run them monthly.

echo "Starting Monthly AWl purge - "
echo "Delete AWL entries older than 4 months";

$MYSQL -u$USER -p$PW -h$SERVER -e\
"SELECT count(*) as 4MonthOld FROM awl WHERE lastupdate <= 
DATE_SUB(SYSDATE(), I

NTERVAL 4 MONTH);" \
$DB

$MYSQL -u$USER -p$PW -h$SERVER -e\
"DELETE FROM awl WHERE lastupdate <= DATE_SUB(SYSDATE(), INTERVAL 4 
MONTH);" \

$DB

echo "Delete AWL entries with only a single e-mail over 30 days old"

$MYSQL -u$USER -p$PW -h$SERVER -e\
"SELECT count(*) as 30DayOldSingles FROM awl WHERE count = 1 AND 
lastupdate <= D

ATE_SUB(SYSDATE(), INTERVAL 30 DAY);" \
$DB

$MYSQL -u$USER -p$PW -h$SERVER -e\
"DELETE FROM awl WHERE count = 1 AND lastupdate <= DATE_SUB(SYSDATE(), 
INTERVAL

30 DAY);" \
$DB

echo "Check for insignigcant scoring AWL entries"
$MYSQL -u$USER -p$PW -h$SERVER -e\
"SELECT count(*) as Insignificant FROM awl WHERE totscore/count < .1 AND 
totscor

e/count > .1;" \
$DB

$MYSQL -u$USER -p$PW -h$SERVER -e\
"DELETE FROM awl WHERE totscore/count < .1 AND totscore/count > .1;" \
$DB

$MYSQL -u$USER -p$PW -h$SERVER -e\
"SELECT count(*) as TotalBayesSeen FROM bayes_seen;" \
$DB

echo "Delete bayes seen older than 1 month"

$MYSQL -u$USER -p$PW -h$SERVER -e\
"SELECT count(*) as 1MonthOldBayesSeen FROM bayes_seen WHERE lastupdate 
<= DATE_

SUB(SYSDATE(), INTERVAL 1 MONTH);" \
$DB

$MYSQL -u$USER -p$PW -h$SERVER -e\
"DELETE FROM bayes_seen WHERE lastupdate <= DATE_SUB(SYSDATE(), INTERVAL 
1 MONTH

); " \
$DB



Miguel wrote:
Hi, does SA takes care of purging old bayesian records stored in mysql 
similar what it does to the traditional DB files?

If not, what is the recommended procedure to do so?
regards

Re: office rule

[mouss]

Jean-Paul Natola wrote:
I was thinking of adding a rule that explicity allows  or  does a -10 on 


"out of office autoreply" as a complete string

If possible
  


only do so conditionally. you don't want spam to slip this way.

anyway, you'll have a hard time finding all the cases that require 
"whitelisting". how about

Subject: Directions for our office
From: "Christoff J. Iceland" <[EMAIL PROTECTED]>
Subject: Vulnerability in Office XP
...

The approach is flawed. a single word shouldn't be enough to tag mail as 
spam.

RE: office rule

[Jean-Paul Natola]

I was thinking of adding a rule that explicity allows  or  does a -10 on 

"out of office autoreply" as a complete string

If possible



-Original Message-
From: Matus UHLAR - fantomas [mailto:[EMAIL PROTECTED] 
Sent: Wednesday, April 02, 2008 11:45 AM
To: users@spamassassin.apache.org
Subject: Re: office rule

> On Wed, 2008-04-02 at 11:07 -0400, Jean-Paul Natola wrote:
> > Hi all,
> > 
> > I'd like to create a rule that scores 4 points if the word office is in
the
> > From field, or in the subject line 

On 02.04.08 21:07, ram wrote:
> Are you sure want to give 4 ?? 
> Any way YSYR ( your server your rules :-) )
> 
> 
> header __FROMOFFICE From  =~/office/i
> header __SUBOFFICE  Subject  =~/office/i

maybe you could use ReplaceTags plugin and use pattern //i
instead, however this needs something more to do (ifplugin etc)

> meta OFFICERULE (__FROMOFFICE || __SUBOFFICE )
> score OFFICERULE 4.0

> BTW This rule will hit this very mail , unless you are whitelisting sa
> list 

seconded. especially out-of-office  messages


-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"The box said 'Requires Windows 95 or better', so I bought a Macintosh".

Re: Bounce back spam

[Dennis Davis]

On Thu, 27 Mar 2008, Jeff Koch wrote:

> From: Jeff Koch <[EMAIL PROTECTED]>
> To: users@spamassassin.apache.org
> Date: Thu, 27 Mar 2008 22:53:52 -0400
> Subject: Bounce back spam
> 
> Our users are getting inundated with bounce-back, joe-job
> spam. We have the Vbounce.pm plugin enabled (v3.2.4) and have
> a 'whitelist_bounce_relays' with the name of the mailserver in
> the local.cf file and the 'failure notices', 'mail delay' and
> undeliverables don't seem to be getting any score at all.

For a non-SpamAssassin approach you might like to look at BATV:

http://en.wikipedia.org/wiki/Bounce_Address_Tag_Validation

http://tools.ietf.org/html/draft-levine-smtp-batv-00

http://mipassoc.org/batv/

BATV might interfere with some anti-spam measures, eg greylisting.
So you'd probably only want to turn it on for specific users
who are being badly affected.

Usual caveats apply:  I've no idea how difficult it would
be for you to install and I've never used it myself.
-- 
Dennis Davis, BUCS, University of Bath, Bath, BA2 7AY, UK
[EMAIL PROTECTED]   Phone: +44 1225 386101

Re: Help for Bed-n-Breakfast in Brasil

[mouss]

Joseph Brennan wrote:


[snip]

But 72.167.52.118 gave it to 64.202.189.102, and 64.202.189.102 is
the mail server that sent it out to the recipient.

Client software sends crazy stuff as helo.


client software does not insert qmail received headers. The message was 
submitted on a qmail machine (probably by some application), then it 
moved until 72.167.52.118 passed it to 64.202.189.102.


Also, "standard" clients insert an X-Mailer and other headers.



I don't understand why
72.167.52.118's helo is being considered here.  72.167.52.118 did
not connect directly to the recipient's system, earthlink.

Re: Dramatic increase in bounce messages to forged addresses

[John Hardin]

On Wed, 2 Apr 2008, Justin Mason wrote:


John Hardin writes:

On Tue, 1 Apr 2008, William Terry wrote:


Is there anything I can do to mitigate this?


Do you publish SPF records?


Logically this should have an effect, but in real-world terms, it 
doesn't. So don't worry about it.


Sure it won't if nobody ever publishes any SPF records.


Instead, try enabling the vbounce ruleset...


Certainly, do that. But *also* publish SPF records so that the people who 
*do* check SPF have a chance to reject forgeries proactively.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED]
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Public Education: the bureaucratic process of replacing
  an empty mind with a closed one.  -- Thorax
---
 11 days until Thomas Jefferson's 265th Birthday

Re: Help for Bed-n-Breakfast in Brasil

[Joseph Brennan]

--On Wednesday, April 2, 2008 17:27 +0200 mouss <[EMAIL PROTECTED]> wrote:


Joseph Brennan wrote:



--On Wednesday, April 2, 2008 2:45 -0700 Loren Wilton
<[EMAIL PROTECTED]> wrote:


Received: from k2smtpout06-01.prod.mesa1.secureserver.net
([64.202.189.102])
 by mx-pigeons.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id
1jGWCE6yu3Nl34g0
 for <[EMAIL PROTECTED]>; Wed, 2 Apr 2008 02:39:00 -0400 (EDT)
Received: (qmail 12925 invoked from network); 2 Apr 2008 06:39:00 -
Received: from unknown (HELO Pousada.com.br.secureserver.net)
(72.167.52.118)
  by k2smtpout06-01.prod.mesa1.secureserver.net (64.202.189.102) with
ESMTP; 02 Apr 2008 06:39:00 -



Let me play dumb, because I don't understand the problem here.

It looks to me like dynamic 72.167.52.118 submitted mail to its smtp
server 64.202.189.102.  Why is that bad?




My understanding is that his server _is_ 72.167.52.118. his From
indicates pousada.com.br:
$ host -t mx pousada.com.br
pousada.com.br mail is handled by 10 mail.pousada.com.br.
$ host mail.pousada.com.br
mail.pousada.com.br has address 72.167.52.118




But 72.167.52.118 gave it to 64.202.189.102, and 64.202.189.102 is
the mail server that sent it out to the recipient.

Client software sends crazy stuff as helo.  I don't understand why
72.167.52.118's helo is being considered here.  72.167.52.118 did
not connect directly to the recipient's system, earthlink.


Joseph Brennan
Columbia University Information Technology

Re: office rule

[Matus UHLAR - fantomas]

> On Wed, 2008-04-02 at 11:07 -0400, Jean-Paul Natola wrote:
> > Hi all,
> > 
> > I'd like to create a rule that scores 4 points if the word office is in the
> > From field, or in the subject line 

On 02.04.08 21:07, ram wrote:
> Are you sure want to give 4 ?? 
> Any way YSYR ( your server your rules :-) )
> 
> 
> header __FROMOFFICE From  =~/office/i
> header __SUBOFFICE  Subject  =~/office/i

maybe you could use ReplaceTags plugin and use pattern //i
instead, however this needs something more to do (ifplugin etc)

> meta OFFICERULE (__FROMOFFICE || __SUBOFFICE )
> score OFFICERULE 4.0

> BTW This rule will hit this very mail , unless you are whitelisting sa
> list 

seconded. especially out-of-office  messages


-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"The box said 'Requires Windows 95 or better', so I bought a Macintosh".

Re: office rule

[ram]

On Wed, 2008-04-02 at 11:07 -0400, Jean-Paul Natola wrote:
> Hi all,
> 
> I'd like to create a rule that scores 4 points if the word office is in the
> >From field, or in the subject line 
> 
Are you sure want to give 4 ?? 
Any way YSYR ( your server your rules :-) )


header __FROMOFFICE From  =~/office/i
header __SUBOFFICE  Subject  =~/office/i

meta OFFICERULE (__FROMOFFICE || __SUBOFFICE )
score OFFICERULE 4.0



BTW This rule will hit this very mail , unless you are whitelisting sa
list 

Ram

Re: Help for Bed-n-Breakfast in Brasil

[SM]

At 02:45 02-04-2008, Loren Wilton wrote:
Recently a guy posted on the list about the problems he has been 
having for a month trying to resolve problems with sending 
mail.  The posting made it appear the problem was a missing 
head-body separator in the mail he was sending.


I've been talking with him, and that turns out to not be the problem 
at all. I think I know what his problems generally are at this 
point, but I don't know enough to be able to help him myself.  I'm 
including some of my analysis and suchlike here in the hope someone 
else can give him more help.


I think his biggest problem is that he is in Brasil, and the 
problems with separating commercial addresses from dialup and DSL 
addresses, along with hostname probelms in received headers are biting him.


[snip]

Can someone help him along form here?  He isn't really an email guy, 
so "PTR record" doesn't tell him how to fix things. Remember this is 
Brasil, so there may be difficulties in getting things set up 
properly.  Perhaps someone from there could offer some suggestions?


Could you ask him to send me an email off-list?

Regards,
-sm 

Re: Help for Bed-n-Breakfast in Brasil

[mouss]

Joseph Brennan wrote:



--On Wednesday, April 2, 2008 2:45 -0700 Loren Wilton 
<[EMAIL PROTECTED]> wrote:



Received: from k2smtpout06-01.prod.mesa1.secureserver.net
([64.202.189.102])
 by mx-pigeons.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id
1jGWCE6yu3Nl34g0
 for <[EMAIL PROTECTED]>; Wed, 2 Apr 2008 02:39:00 -0400 (EDT)
Received: (qmail 12925 invoked from network); 2 Apr 2008 06:39:00 -
Received: from unknown (HELO Pousada.com.br.secureserver.net)
(72.167.52.118)
  by k2smtpout06-01.prod.mesa1.secureserver.net (64.202.189.102) with
ESMTP; 02 Apr 2008 06:39:00 -



Let me play dumb, because I don't understand the problem here.

It looks to me like dynamic 72.167.52.118 submitted mail to its smtp
server 64.202.189.102.  Why is that bad?




My understanding is that his server _is_ 72.167.52.118. his From 
indicates pousada.com.br:

$ host -t mx pousada.com.br
pousada.com.br mail is handled by 10 mail.pousada.com.br.
$ host mail.pousada.com.br
mail.pousada.com.br has address 72.167.52.118

so he has a generic rDNS:
$ host 72.167.52.118
118.52.167.72.in-addr.arpa domain name pointer 
ip-72-167-52-118.ip.secureserver.net


and this will cause delivery problems nowadays.

In addition, his server helos with Pousada.com.br.secureserver.net which 
does not resolve.


and
$ telnet 72.167.52.118 25
...
220 Pousada.com.br.secureserver.net ESMTP

so the hostname in the banner seems to be another one:
$ host Pousada.com.br.secureserver.net
Host Pousada.com.br.secureserver.net not found: 3(NXDOMAIN)

oops.

office rule

[Jean-Paul Natola]

Hi all,

I'd like to create a rule that scores 4 points if the word office is in the
>From field, or in the subject line 

Can someone help me there?


thx 








J

Re: Help for Bed-n-Breakfast in Brasil

[Joseph Brennan]

--On Wednesday, April 2, 2008 2:45 -0700 Loren Wilton 
<[EMAIL PROTECTED]> wrote:



Received: from k2smtpout06-01.prod.mesa1.secureserver.net
([64.202.189.102])
 by mx-pigeons.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id
1jGWCE6yu3Nl34g0
 for <[EMAIL PROTECTED]>; Wed, 2 Apr 2008 02:39:00 -0400 (EDT)
Received: (qmail 12925 invoked from network); 2 Apr 2008 06:39:00 -
Received: from unknown (HELO Pousada.com.br.secureserver.net)
(72.167.52.118)
  by k2smtpout06-01.prod.mesa1.secureserver.net (64.202.189.102) with
ESMTP; 02 Apr 2008 06:39:00 -



Let me play dumb, because I don't understand the problem here.

It looks to me like dynamic 72.167.52.118 submitted mail to its smtp
server 64.202.189.102.  Why is that bad?


Joseph Brennan
Columbia University Information Technology

Re: how to unsubscribe to this group

[mouss]

Nigel Frankcom wrote:

From the headers of all list emails

list-help: 
list-unsubscribe: 
List-Post: 
List-Id: 
Delivered-To: mailing list users@spamassassin.apache.org
  


why do you resend me what I've said?

oh and for VBounce look at the documentation in your vbounce.cf... so
try locate vbounce.cf you will probably have more than one version if
you've run sa-update.

  


OP didn't ask about vbounce. it was someone else.

Re: how to unsubscribe to this group

[Nigel Frankcom]

From the headers of all list emails

list-help: 
list-unsubscribe: 
List-Post: 
List-Id: 
Delivered-To: mailing list users@spamassassin.apache.org

oh and for VBounce look at the documentation in your vbounce.cf... so
try locate vbounce.cf you will probably have more than one version if
you've run sa-update.

HTH

Nigel

On Wed, 02 Apr 2008 14:18:28 +0200, mouss <[EMAIL PROTECTED]> wrote:

>Agnello George wrote:
>> how to unsubscribe to this group
>>
>>   
>
>
>It is amzaing how many people succeed to subscribe and can't find out 
>how to unsubscribe...
>
>
>a Google search would easily lead to
>http://wiki.apache.org/spamassassin/MailingLists
>and reading that page shows how to unsubscribe (search for the string 
>unsubscribe inside that page).
>
>And if Google is not your friend, all the list messages contain the 
>following headers:
>
>list-help: 
>list-unsubscribe: 
>List-Post: 
>List-Id: 
>
>the second header above means that you need to send a message to
>   [EMAIL PROTECTED]
>
>

Re: how to unsubscribe to this group

[Matt Kettler]

Agnello George wrote:

how to unsubscribe to this group

  

In the headers of every message on the list:

List-Unsubscribe: 

Re: how to unsubscribe to this group

[mouss]

Agnello George wrote:

how to unsubscribe to this group

  



It is amzaing how many people succeed to subscribe and can't find out 
how to unsubscribe...



a Google search would easily lead to
   http://wiki.apache.org/spamassassin/MailingLists
and reading that page shows how to unsubscribe (search for the string 
unsubscribe inside that page).


And if Google is not your friend, all the list messages contain the 
following headers:


list-help: 
list-unsubscribe: 
List-Post: 
List-Id: 

the second header above means that you need to send a message to
[EMAIL PROTECTED]

Re: vbounce

[mouss]

Grant Peel wrote:

- Original Message - From: "Henrik K" <[EMAIL PROTECTED]>
To: 
Sent: Wednesday, April 02, 2008 2:49 AM
Subject: Re: vbounce



On Wed, Apr 02, 2008 at 08:30:37AM +0200, R.Smits wrote:

Hi,

We have exacly the same issue over here. I am very interested in a
solution. If i look at the maillog file, I don't see a MY_SERVERS_FOUND
triggered anywhere ?


You are not supposed to see __MY_SERVERS_FOUND. It's a hidden rule, 
thus the

underscores in beginning.

What you should see it atleast ANY_BOUNCE_MESSAGE if a message looks 
bounce.


Are you using SpamAssassin 3.2.4? Anything before that might not work 
at all
because of this: 
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5492






What is a vbounce?


the name of a file containing rules to catch backscatter (abusive bounces).

at the time, a lot of anti-virus products use to send silly "virus 
bounces" ("a virus was found in blah blah"), thus the name.

how to unsubscribe to this group

[Agnello George]

how to unsubscribe to this group

-- 
Regards
Agnello Dsouza
www.linux-vashi.blogspot.com
www.bible-study-india.blogspot.com

RE: Help for Bed-n-Breakfast in Brasil

[Giampaolo Tomassoni]

> -Original Message-
> From: Loren Wilton [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, April 02, 2008 11:46 AM
> 
> Recently a guy posted on the list about the problems he has been having
> for
> a month trying to resolve problems with sending mail.  The posting made
> it
> appear the problem was a missing head-body separator in the mail he was
> sending.
> 
> I've been talking with him, and that turns out to not be the problem at
> all.
> I think I know what his problems generally are at this point, but I
> don't
> know enough to be able to help him myself.  I'm including some of my
> analysis and suchlike here in the hope someone else can give him more
> help.
> 
> I think his biggest problem is that he is in Brasil, and the problems
> with
> separating commercial addresses from dialup and DSL addresses, along
> with
> hostname probelms in received headers are biting him.
> 
> Situation: there is a legit bed-and-breakfast that will send you a
> confirmation mail if you fill out their web reservation form.  Just
> like any
> hotel with online reservation.  The headers for one such mail look
> like:
> 
> --
> X-Spam-Virus: No
> X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08)
> X-Spam-Level: **
> X-Spam-Status: No, score=0.7 required=5.0 tests=BAYES_50=0.001,
>  HELO_MISMATCH_NET=0.611,RDNS_NONE=0.1 autolearn=disabled
>  version=3.2.3
> Return-Path: <[EMAIL PROTECTED]>
> Received: from noehlo.host ([127.0.0.1])
>  by mx-pigeons.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP
> id
> 1jGWCF3RR3Nl34g0; Wed, 2 Apr 2008 02:39:01 -0400 (EDT)
> Received: from k2smtpout06-01.prod.mesa1.secureserver.net
> ([64.202.189.102])
>  by mx-pigeons.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP
> id
> 1jGWCE6yu3Nl34g0
>  for <[EMAIL PROTECTED]>; Wed, 2 Apr 2008 02:39:00 -0400 (EDT)
> Received: (qmail 12925 invoked from network); 2 Apr 2008 06:39:00 -
> Received: from unknown (HELO Pousada.com.br.secureserver.net)
> (72.167.52.118)
>   by k2smtpout06-01.prod.mesa1.secureserver.net (64.202.189.102) with
> ESMTP;
> 02 Apr 2008 06:39:00 -
> Received: (qmail 21818 invoked by uid 48); 1 Apr 2008 23:38:59 -0700
> Date: 1 Apr 2008 23:38:59 -0700
> Message-ID:
> <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject:  Solicitacao de Informacoes ou de Reserva Enviada
> From: [EMAIL PROTECTED]
> Reply-To: [EMAIL PROTECTED]
> Content-type: text/plain; charset=iso-8859-1
> ---
> 
> I think the problems are all in the received headers.  He has reports
> that
> AOL and other places are rejecting these confirmation messages.  He
> sent me
> an analysis he got from some email analysis company on the web:
> 
> ---
> > > Having an PTR like ip-72-167-52-118.ip.secureserver.net does not
> look
> > > like
> > > someone had the intention to run a mailrelay on.
> > >
> > > With such an PTR you will not just be blocked by UCEPROTECT-
> Appliances,
> > > you can expect wide delivery problems out there.
> > >
> > > Big providers as AOL would also not accept mail from you at this
> time.
> > >
> > > See:http://postmaster.info.aol.com/guidelines/standards.html
> > >
> > > "AOL's mail servers will not accept connections from systems that
> use
> > > dynamically assigned or residential IP addresses."
> > >
> > > So my suggestion to you is to get individual PTR's for IP's you
> want to
> > > use as mailservers.
> --
> 
> Can someone help him along form here?  He isn't really an email guy, so
> "PTR
> record" doesn't tell him how to fix things. Remember this is Brasil, so
> there may be difficulties in getting things set up properly.  Perhaps
> someone from there could offer some suggestions?

He has to contact secureserver.net in order to obtain a better PTR record.
The best one would be the one matching the name its server uses in
announcing to remotes. In example, if it announces as mx1.beb.br, then that
would be the best fq name for the PTR record.
 
But I believe this is not a mandatory requirement in SA, since it at most
checks for dialup and residential PTRs as well as for the contacting IP
matching the resolved MX-announced name (no PTR check here). However, many
ISP may enforce this kind of check in their AS facilities.

Giampaolo

> Thanks,
> 
> Loren

Re: vbounce

[Grant Peel]

- Original Message - 
From: "Henrik K" <[EMAIL PROTECTED]>

To: 
Sent: Wednesday, April 02, 2008 2:49 AM
Subject: Re: vbounce



On Wed, Apr 02, 2008 at 08:30:37AM +0200, R.Smits wrote:

Hi,

We have exacly the same issue over here. I am very interested in a
solution. If i look at the maillog file, I don't see a MY_SERVERS_FOUND
triggered anywhere ?


You are not supposed to see __MY_SERVERS_FOUND. It's a hidden rule, thus 
the

underscores in beginning.

What you should see it atleast ANY_BOUNCE_MESSAGE if a message looks 
bounce.


Are you using SpamAssassin 3.2.4? Anything before that might not work at 
all
because of this: 
https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5492






What is a vbounce?

-Grant 

Re: Dramatic increase in bounce messages to forged addresses

[Dave Pooser]

>> i see other types of backscatter that could be solved by using spf
> 
> only if spammers check spf before forging addresses, which I doubt...

I can say that since I started publishing SPF records at $DAYJOB we've seen
a gigantic reduction in backscatter. I think many spammers do try to avoid
using forged addresses from domains that publish DKIM/SPF records; that's a
simple check they can run to increase the chance of their spew hitting
inboxes instead of /dev/null.
-- 
Dave Pooser
Cat-Herder-in-Chief,Pooserville.com
"Jon, the CIA's credibility has never been lower. Crazy people no longer
believe the CIA is implanting a chip in their heads to listen to their
dreams. They just don't think they can pull it off. It's a sad day for
America when even our paranoid schizophrenics realize they don't need to
wear the aluminum foil hats anymore." -- Ed Helms, "The Daily Show"

Re: spamassassin lint warnings

[Rodney Green]

Thanks Mike. However, I'm getting the same warnings for a majority of
the .cf files in /var/lib/spamassassin/3.002004 and
/etc/mail/spamassassin, not just the two files referenced in my
original e-mail.

Rod

On Tue, Apr 1, 2008 at 9:07 PM, Michael Hutchinson
<[EMAIL PROTECTED]> wrote:
>
> > -Original Message-
>  > From: Rod G [mailto:[EMAIL PROTECTED]
>  > Sent: Wednesday, 2 April 2008 1:26 a.m.
>  > To: users@spamassassin.apache.org
>  > Subject: spamassassin lint warnings
>  >
>  > Hello. I'm running SA 3.2.4. When I run "spamassassin --lint -D" I get
>  > a bunch of warnings like those below. I'm seeing the same two warnings
>  > for many of the files in /var/lib/spamassassin/3.002004 and
>  > /etc/mail/spamassassin. Any ideas on how to fix these? Thanks!
>  >
>  >
>  > [32690] warn: "my" variable $l masks earlier declaration in same scope
>  > at /var/lib/spamassassin/3.002004/updates_spamassassin_
>  > org/72_active.cf, rule __DOS_I_AM_25, line 14.
>  > [32690] warn: Global symbol "$scoresptr" requires explicit package
>  > name at /var/lib/spamassassin/3.002004/updates_spamassassin
>  > _org/20_advance_fee.cf, rule __FRAUD_NRG, line 12.
>
>  Hi There,
>
>  Turns out I pull the same rule updates and these files are included.
>  (20_advance_fee.cf and 72_active.cf)
>  I looked through my files, and could not find reference to the errors
>  you're getting - I wonder if your install of S.A is sane - have you
>  upgraded S.A recently?
>
>  Then again, I am on version 3.1.7 so that may be why I don't see the
>  exact same file.
>
>  Perhaps you could try deleting those two files, and re-running sa-update
>  to pull them down, and then try linting again?
>
>  Cheers,
>  Mike
>
>
>



-- 
"The Internet is a telephone system that's gotten uppity."
- Clifford Stoll

Re: Dramatic increase in bounce messages to forged addresses

[ram]

On Wed, 2008-04-02 at 10:42 +0200, mouss wrote:
> Benny Pedersen wrote:
> > On Wed, April 2, 2008 02:06, William Terry wrote:
> >   
> >> I mostly lurk here, gleaning bits of wisdom from those far more
> >> knowledgeable than me, however...
> >> 
> >
> > i have no clue either :-)
> >
> >   
> >> I am getting a dramatic increase in bounce messages with my domain
> >> forged sent to me.  At least some of the messages still retain the
> >> headers so I can tell that we did not originate the message.  I also
> >> know that there is probably little I can do to keep them coming.
> >> 
> >
> > http://openspf.org/ one could add spf to domain, and hope bouncers get a 
> > clue
> > when bouncing and not rejecting spam :/
> >
> >   
> 
> if they had a clue, they wouldn't accept-then-bounce.
> >> I'm just wondering if anyone else is seeing a dramatic rise in these
> >> messages?  Is there anything I can do to mitigate this?
> >> 
> >
> > i see other types of backscatter that could be solved by using spf
> >   
> 
> only if spammers check spf before forging addresses, which I doubt...
> 
I think they do. Because a SPF_FAIL would land their mail in spam
folders 

I have had been flooded with backscatter before on domains that didnt
have SPF records. The moment I put SPF records I saw backscatter
disappear. It may have neen coincidental that spammers stopped forging
that domain and moved on 




BTW , 

  How does vbounce work , Is there a good link somewhere ? 





> 

Re: Help for Bed-n-Breakfast in Brasil

[Per Jessen]

Loren Wilton wrote:

> ---
>> > Having an PTR like ip-72-167-52-118.ip.secureserver.net does not
>> > look like someone had the intention to run a mailrelay on.
>> >
>> > With such an PTR you will not just be blocked by
>> > UCEPROTECT-Appliances, you can expect wide delivery problems out
>> > there.
>> >
>> > So my suggestion to you is to get individual PTR's for IP's you
>> > want to use as mailservers.
> --
> 
> Can someone help him along form here?  He isn't really an email guy,
> so "PTR record" doesn't tell him how to fix things. Remember this is
> Brasil, so there may be difficulties in getting things set up
> properly.  Perhaps someone from there could offer some suggestions?

The explanation you're quoting is pretty good - the mailserver is on 
ip-72-167-52-118.ip.secureserver.net. which just does not look like a
mail-server. 
He really needs to start by getting 'secureserver.net' to setup a 
proper reverse mapping :

72.167.52.118 pointing to 'mail.pousada.com.br'. 

This is also called a PTR record.  


/Per Jessen, Zürich

Help for Bed-n-Breakfast in Brasil

[Loren Wilton]

Recently a guy posted on the list about the problems he has been having for 
a month trying to resolve problems with sending mail.  The posting made it 
appear the problem was a missing head-body separator in the mail he was 
sending.


I've been talking with him, and that turns out to not be the problem at all. 
I think I know what his problems generally are at this point, but I don't 
know enough to be able to help him myself.  I'm including some of my 
analysis and suchlike here in the hope someone else can give him more help.


I think his biggest problem is that he is in Brasil, and the problems with 
separating commercial addresses from dialup and DSL addresses, along with 
hostname probelms in received headers are biting him.


Situation: there is a legit bed-and-breakfast that will send you a 
confirmation mail if you fill out their web reservation form.  Just like any 
hotel with online reservation.  The headers for one such mail look like:


--
X-Spam-Virus: No
X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08)
X-Spam-Level: **
X-Spam-Status: No, score=0.7 required=5.0 tests=BAYES_50=0.001,
HELO_MISMATCH_NET=0.611,RDNS_NONE=0.1 autolearn=disabled
version=3.2.3
Return-Path: <[EMAIL PROTECTED]>
Received: from noehlo.host ([127.0.0.1])
by mx-pigeons.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 
1jGWCF3RR3Nl34g0; Wed, 2 Apr 2008 02:39:01 -0400 (EDT)

Received: from k2smtpout06-01.prod.mesa1.secureserver.net ([64.202.189.102])
by mx-pigeons.atl.sa.earthlink.net (EarthLink SMTP Server) with SMTP id 
1jGWCE6yu3Nl34g0

for <[EMAIL PROTECTED]>; Wed, 2 Apr 2008 02:39:00 -0400 (EDT)
Received: (qmail 12925 invoked from network); 2 Apr 2008 06:39:00 -
Received: from unknown (HELO Pousada.com.br.secureserver.net) 
(72.167.52.118)
 by k2smtpout06-01.prod.mesa1.secureserver.net (64.202.189.102) with ESMTP; 
02 Apr 2008 06:39:00 -

Received: (qmail 21818 invoked by uid 48); 1 Apr 2008 23:38:59 -0700
Date: 1 Apr 2008 23:38:59 -0700
Message-ID: <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject:  Solicitacao de Informacoes ou de Reserva Enviada
From: [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Content-type: text/plain; charset=iso-8859-1
---

I think the problems are all in the received headers.  He has reports that 
AOL and other places are rejecting these confirmation messages.  He sent me 
an analysis he got from some email analysis company on the web:


---
> Having an PTR like ip-72-167-52-118.ip.secureserver.net does not look 
> like

> someone had the intention to run a mailrelay on.
>
> With such an PTR you will not just be blocked by UCEPROTECT-Appliances,
> you can expect wide delivery problems out there.
>
> Big providers as AOL would also not accept mail from you at this time.
>
> See:http://postmaster.info.aol.com/guidelines/standards.html
>
> "AOL's mail servers will not accept connections from systems that use
> dynamically assigned or residential IP addresses."
>
> So my suggestion to you is to get individual PTR's for IP's you want to
> use as mailservers.

--

Can someone help him along form here?  He isn't really an email guy, so "PTR 
record" doesn't tell him how to fix things. Remember this is Brasil, so 
there may be difficulties in getting things set up properly.  Perhaps 
someone from there could offer some suggestions?


Thanks,

   Loren

Re: mail from dialups via ISP MTA

[Matus UHLAR - fantomas]

> On Tuesday 01 April 2008 16:06:25 Matus UHLAR - fantomas wrote:
> > > On Monday 31 March 2008 22:53:45 Matus UHLAR - fantomas wrote:
> > > > Such IP's are thus not designed to send mail directly to recipients -
> > > > users have to send mail through mailserver with static IP that can
> > > > autenticate them.
> >
> > On 31.03.08 22:06, Arvid Ephraim Picciani wrote:
> > > True. The problem is, thats exactly what happened but SA matched the
> > > sender anyway becouse he's in the received headers.
> >
> > iirc they only matched RDNS_DYNAMIC which means "reverse DNS looks like 
> > dynamic". That scores 0.1 points and only scores more in combination with
> > other rules. However changing the DNS should help.

On 01.04.08 17:20, Arvid Ephraim Picciani wrote:
> actually i mean SORBS and NJABL.  they matched the sender.

if we are still talking about mail from 66-211-213-17.velocity.net
[66.211.213.17], they were not matched by any dynamic lists.

your first mail indicates problem with different IP. and this IP only
matches DRNS_DYNAMIC

-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
M$ Win's are shit, do not use it !

Re: vbounce

[Justin Mason]

JP Kelly writes:
> yay i finally had the pleasure of getting joe jobbed!
> 
> so i am looking at vbounce. i think it is working but when i  
> intentionally bounce to myself the by sending to a non existent  
> address,  whitelist_bounce_relays does not seem to trigger. searching  
> the archives i noticed that this may have been a bug but i did not see  
> if it was fixed. any ideas?

bear in mind, a "local" bounce may look different from a "remote"
bounce.  It needs to be a bounce generated by a remote system.

--j.

Re: Dramatic increase in bounce messages to forged addresses

[Justin Mason]

John Hardin writes:
> On Tue, 1 Apr 2008, William Terry wrote:
> 
> > Is there anything I can do to mitigate this?
> 
> Do you publish SPF records?

Logically this should have an effect, but in real-world terms, it doesn't.
So don't worry about it.

Instead, try enabling the vbounce ruleset...

--j.

Re: mail from dialups via ISP MTA

[Yet Another Ninja]

On 4/1/2008 5:43 PM, Arvid Ephraim Picciani wrote:

and another mail false positive:

 2.2 RCVD_IN_BL_SPAMCOP_NET RBL: Received via a relay in bl.spamcop.net
  [Blocked - see ]
 1.1 RCVD_IN_SORBS_WEB  RBL: SORBS: sender is a abuseable web server
[91.151.146.244 listed in dnsbl.sorbs.net]

again a perfectly valid login into gmail. 
So if you want to damage an ISP you're going to run some open proxys on dynips 
and voila the next user having that ip gets blocked. i dont get it.




how does this apparantely infected source relate to gmail?

http://www.spamhaus.org/query/bl?ip=91.151.146.244

http://cbl.abuseat.org/lookup.cgi?ip=91.151.146.244&.submit=Lookup

It was detected at 2008-04-01 15:00 GMT (+/- 30 minutes), approximately 
3 hours ago.


if you hit that IP via HTTP you reach some home router web interface.

good thing its listed - who knows how many infected boxes sit behind 
that toy.


Its a valid bot infected botnet IP.

If this a false positive - pls re-check the meaning of "false positive"

Re: Dramatic increase in bounce messages to forged addresses

[mouss]

Benny Pedersen wrote:

On Wed, April 2, 2008 02:06, William Terry wrote:
  

I mostly lurk here, gleaning bits of wisdom from those far more
knowledgeable than me, however...



i have no clue either :-)

  

I am getting a dramatic increase in bounce messages with my domain
forged sent to me.  At least some of the messages still retain the
headers so I can tell that we did not originate the message.  I also
know that there is probably little I can do to keep them coming.



http://openspf.org/ one could add spf to domain, and hope bouncers get a clue
when bouncing and not rejecting spam :/

  


if they had a clue, they wouldn't accept-then-bounce.

I'm just wondering if anyone else is seeing a dramatic rise in these
messages?  Is there anything I can do to mitigate this?



i see other types of backscatter that could be solved by using spf
  


only if spammers check spf before forging addresses, which I doubt...