Re: yahoo.com acknowledges no control over third party email from their mail servers
From: John Hardin [EMAIL PROTECTED] Date: Thu, 15 May 2008 10:32:29 -0700 (PDT) To: Michael Scheidell [EMAIL PROTECTED] Cc: SpamAssassin Users List users@spamassassin.apache.org Subject: Re: yahoo.com acknowledges no control over third party email from their mail servers How the hell can they disown that? The rDNS is from a domain they control! Didn't disown it, just said it didn't come from a yahoo.com authorized source, ie: they have open third party relay and just allow random spammers to use their servers. I get that email response from them 75% of the time, which means (according to yahoo.com) that 75% of the spam coming from yahoo.com DKIM signed servers is from third partys, not authorized yahoo.com users. -- Michael Scheidell, CTO |SECNAP Network Security Winner 2008 Network Products Guide Hot Companies FreeBSD SpamAssassin Ports maintainer _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com _
Fraud spam text in .doc attachments
Hi, Any one else seen emails with word documents attached and the word document has text of an 'African fraud'? example: http://pastebin.com/mad34c97 I've not seen a Word Doc plugin for SpamAssassin, is there one? Thanks! -- Andrew Hearn
Re: inconsistent scoring issue?
On Thu, May 15, 2008 at 08:53:57PM +0200, Karsten Br?ckelmann wrote: Yes. Hence my question about mail hitting URIBL_BLACK on the first run, unlike that one example. The point is, whether *no* mail hits URIBL_BLACK, or at least *some* mail does. Do you get any URIBL_BLACK hits at all? Is that one example you pasted exemplary for all your incoming mail, never hitting URIBL_BLACK -- or is this an isolated case not triggering the BL? The answer to this might hint where to look next... At, gotcha. Yes, some messages do hit URIBL_BLACK; all examples that I've found so far are also (properly) identified as spam. I'm thinking you're probably right that this is a timing issue. I just checked another message that had different scoring results. The initial message was received on 5/15 at 1156UTC and did not hit URIBL_BLACK. I fed it to SA manually at 1203UTC and it DID hit URIBL_BLACK. I looked up the URI in question and it was listed on 5/15 at 1153UTC. --Jeff
RE: yahoo.com acknowledges no control over third party email from their mail servers
-Original Message- From: Michael Scheidell [mailto:[EMAIL PROTECTED] Sent: Friday, May 16, 2008 7:46 AM To: John Hardin Cc: SpamAssassin Users List Subject: Re: yahoo.com acknowledges no control over third party email from their mail servers How the hell can they disown that? The rDNS is from a domain they control! Didn't disown it, just said it didn't come from a yahoo.com authorized source, ie: they have open third party relay and just allow random spammers to use their servers. I get that email response from them 75% of the time, which means (according to yahoo.com) that 75% of the spam coming from yahoo.com DKIM signed servers is from third partys, not authorized yahoo.com users. If you get testy with them and mail them back and forth about it, and include links to the whois/dig output *proving* that they are lying/hiding/whatever, they will eventually fess up, and a day or so later, you should receive the standard We have taken appropriate action against the user in question (yadda-yadda) email. ...Whether or not they actually *do* anything is obviously an unknown, however, I agree that this is just *bad*, so I tend to call them on it every time if I can/have the time. IOTW - I'm not exactly on Elmer's buddy-list... ;)
MySQL Unreliable
Need a little help for MySQL users. I'm running several servers that are using a common MySQL server for bayes for all the SA servers. What I'm seeing is that MySQL is just plain unreliable. The database is often corrupted and it does so in a manner that basically causes SA to hang until it times out. I'm not sure what I'm doing wrong or if there's some my.cnf settings I'm missing. I could use some tips from those of you who are hitting MySQL hard or might suggest something other than MySQL that I should use for bayes. Thanks in advance.
Re: MySQL Unreliable
At 06:30 16-05-2008, Marc Perkel wrote: I'm running several servers that are using a common MySQL server for bayes for all the SA servers. What I'm seeing is that MySQL is just plain unreliable. The database is often corrupted and it does so in a manner that basically causes SA to hang until it times out. Don't use MyISAM. http://dev.mysql.com/doc/mysql/en/innodb.html Regards, -sm
Re: MySQL Unreliable
Marc Perkel wrote: Need a little help for MySQL users. I'm running several servers that are using a common MySQL server for bayes for all the SA servers. What I'm seeing is that MySQL is just plain unreliable. The database is often corrupted and it does so in a manner that basically causes SA to hang until it times out. I'm not sure what I'm doing wrong or if there's some my.cnf settings I'm missing. I could use some tips from those of you who are hitting MySQL hard or might suggest something other than MySQL that I should use for bayes. Thanks in advance. We use innodb for all the sa_bayes tables. Here's some tuning settings we use in my.cnf for the server: query_cache_limit = 1M query_cache_size = 12M query_cache_type = 1 innodb_additional_mem_pool_size=12M innodb_buffer_pool_size=70M innodb_log_file_size=10M
Spam Assassin
Does the Spam Assassin work on Mac's? Thank you for your help. -- Michelle Acosta Bookkeeper/Office Manager The TEAK Fellowship 16 West 22nd Street, 3rd Fl. New York, NY 10010 Tel: (212) 288-6678, ext. 109 Fax: (212) 288-5058
Re: inconsistent scoring issue?
On Fri, 16 May 2008, Jeff Aitken wrote: I'm thinking you're probably right that this is a timing issue. I just checked another message that had different scoring results. The initial message was received on 5/15 at 1156UTC and did not hit URIBL_BLACK. I fed it to SA manually at 1203UTC and it DID hit URIBL_BLACK. I looked up the URI in question and it was listed on 5/15 at 1153UTC. One argument for implementing greylisting? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- You do not examine legislation in the light of the benefits it will convey if properly administered, but in the light of the wrongs it would do and the harms it would cause if improperly administered. -- Lyndon B. Johnson --- 5 days until the 4th anniversary of SpaceshipOne winning the X-prize
Re: MySQL Unreliable
SM wrote: At 06:30 16-05-2008, Marc Perkel wrote: I'm running several servers that are using a common MySQL server for bayes for all the SA servers. What I'm seeing is that MySQL is just plain unreliable. The database is often corrupted and it does so in a manner that basically causes SA to hang until it times out. Don't use MyISAM. http://dev.mysql.com/doc/mysql/en/innodb.html OK - I'm trying that. So innodb is better?
Re: Spam Assassin
Am/On Fri, 16 May 2008 11:18:04 -0400 schrieb/wrote Michelle Acosta: Does the Spam Assassin work on Mac's? sure it does. http://wiki.apache.org/spamassassin/SpamAssassin_on_Mac_OS_X_Server http://osx.topicdesk.com/content/category/4/18/41/ Thanks and all the best Matthias
Re: MySQL Unreliable
Hi Mark, At 09:15 16-05-2008, Marc Perkel wrote: OK - I'm trying that. So innodb is better? InnoDB supports transactions. The entire table is not locked as with MyISAM when data is inserted, updated or deleted. That's better in the case of a Bayes database. In general, there is a performance hit when using InnoDB. You should however see better performance for Bayes. In your original message, you mentioned that the db was being corrupted. That shouldn't happen unless there was an incorrect shutdown of the MySQL server. The hang you mentioned might be a query waiting on a lock. Regards, -sm
VBounce FP
The message at http://pastebin.com/m42c297fd[1] hit ANY_BOUNCE_MESSAGE and BOUNCE_MESSAGE despite the host that sent it (mailgw02.wolfnettech.com) being listed in my whitelist_bounce_relays. What might I have (?:missed|not understood) about VBounce? [1] The portion of the message that shows the original (bounced) message was blocked by pastebin as spam, so I've posted just the headers and body of the bounce message. -- Christopher Bort [EMAIL PROTECTED] http://www.thehundredacre.net/
Re: Fraud spam text in .doc attachments
I seem to recall there was a rash of Word spams maybe a year or so ago, but it went away pretty quickly. Maybe someone is trying to revive the method. Since not everyone has a Word viewer the spam is self-limiting in how much of the target audience it can capture, so will probably die out again fairly soon. I have vague memories someone did something to parse Word and Excel attachments, but maybe I'm only dreaming about that. Loren
Re: Fraud spam text in .doc attachments
On Fri, 16 May 2008, Loren Wilton wrote: I have vague memories someone did something to parse Word and Excel attachments, but maybe I'm only dreaming about that. I suggested using antiword + pdf-to-image + OCR, but never did anything with the idea. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- A well educated Electorate, being necessary to the liberty of a free State, the Right of the People to Keep and Read Books shall not be infringed. --- 5 days until the 4th anniversary of SpaceshipOne winning the X-prize
Re: VBounce FP
On Friday 16 May 2008 20:45, Christopher Bort wrote: The message at http://pastebin.com/m42c297fd[1] hit ANY_BOUNCE_MESSAGE and BOUNCE_MESSAGE despite the host that sent it (mailgw02.wolfnettech.com) being listed in my whitelist_bounce_relays. What might I have (?:missed|not understood) about VBounce? see: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5884 Greetings Stefan pgpdWtTySTIYF.pgp Description: PGP signature
Re: Fraud spam text in .doc attachments
On Fri, May 16, 2008 13:49, Andrew Hearn wrote: Any one else seen emails with word documents attached and the word document has text of an 'African fraud'? yes example: http://pastebin.com/mad34c97 Download, but no url to download from I've not seen a Word Doc plugin for SpamAssassin, is there one? could be added to fuzzyocr plugin, but attachmens is low here Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: FORGED_MUA_OUTLOOK 4.1
Philippe Couas wrote: Hi, I have an Server programm sending mail to an PC. This PC reading mail then forward it to user group. Mails are reading correctly, but when it was forwarded, it is SPAMMED with FORGED_MUA_OUTLOOK 4.1 How could i avoid it ? Regards Philippe Find out why it is being flagged. ( Read the rule then compare it to the message header ) How else?
a rule to SARE team i hope
X-Mailer: eGroups Message Poster X-Priority: 1 X-MSMail-Priority: High hmm does yahoo use microsoft already ? Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: VBounce FP
On Friday 16 May 2008 22:33, you wrote: On 05/16/08 12:56, [EMAIL PROTECTED] (Stefan Jakobs) wrote: On Friday 16 May 2008 20:45, Christopher Bort wrote: The message at http://pastebin.com/m42c297fd[1] hit ANY_BOUNCE_MESSAGE and BOUNCE_MESSAGE despite the host that sent it (mailgw02.wolfnettech.com) being listed in my whitelist_bounce_relays. What might I have (?:missed|not understood) about VBounce? see: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5884 OK... Maybe I'm dense (not unlikely), but how does that apply here? My message is not an out-of-office reply and it has more than one received header. It's not locally generated, but was generated by a whitelisted relay host. The bounced message was generated by a web form with a sender address in my domain. The web site with the form is hosted for my employer by wolfnettech.com and the sender address's domain (homesmagazine.com) is handled by our mail server (mail.homes-magazine.com). Actually, I'm not sure but in my expirence will spamassassin skip some received headers. Maybe not in your example. The link was a hint and IMO it's not worth to try the solotion it's presenting. Greetings Stefan PS: Please keep replies on list, so that other people can help, too. pgp345EAUZOJs.pgp Description: PGP signature
spammytokens
I'm using the add_header template add_header all Spammy _SPAMMYTOKENS(2,long)_. Lately on messages that FetchYahoo picks up from my Yahoo account the below has started to show up. FetchYahoo adds its own X- header X-FetchYahoo: version 2.12.0alpha3 MsgId 1_20599_AIYmvs4AAMP3SC4qMwQtqyEPKYs at the end of each message but I don't see how or why its being picked up by SA. X-Spam-Spammy: 1.000-4--0h-102s--0d--HX-FetchYahoo:2.12.0alpha3, 1.000-2--0h-57s--0d--941207361 Below are all the add_header templates I'm using in my /etc/mail/spamassassin/local.cf file. I'm not using a ~/.spamassassin/user_prefs file. add_header all Token Summary _TOKENSUMMARY_ add_header all Spammy _SPAMMYTOKENS(2,long)_ add_header all Hammy _HAMMYTOKENS(2,long)_ add_header all Date of Scan _DATE_ add_header all DCC _DCCB_ _DCCR_ add_header all Pyzor _PYZOR_ add_header all Remote Host _REMOTEHOSTNAME_ add_header all Remote Host Addr _REMOTEHOSTADDR_ add_header all Trusted Relays _RELAYSTRUSTED_ add_header all Untrusted Relays _RELAYSUNTRUSTED_ add_header all External Relays _RELAYSEXTERNAL_ add_header all Last External IP _LASTEXTERNALIP_ add_header all Last External RDNS _LASTEXTERNALRDNS_ add_header all Last External HELO _LASTEXTERNALHELO_ add_header all Subtest Ran _SUBTESTS(,)_ add_header all RBL Results _RBL_ add_header all Status _YESNO_, score=_SCORE_ required=_REQD_ tests=_TESTSSCORES_ autolearn=_AUTOLEARN_ version=_VERSION_ Any enlightnment would be appreciated. Chris -- Chris KeyID 0xE372A7DA98E6705C pgpNxah7JxK7m.pgp Description: PGP signature
Re: How do I Test SpamAssassin
Hi, I am a total newb to spamassassin and some network tools you mentioned so I don't know how to do what you suggested. I looked up spamc and I see it's the client to spamd, but I didn't understand fully what I read. Besides testing to see if spamassassin is working I wanted to increase the filters. I don't know if i'm saying it right. Mail does go to my junk box but i'd like more mail in my junkbox. I do not have full control over my mail server. Thanks. On Sun, 2008-05-11 at 11:32 +0200, Arvid Ephraim Picciani wrote: On Sunday 11 May 2008 09:13:28 Marc Ferguson wrote: Hi, I looked on the wiki to see how do I test my installation of spamassassin. I'm confused because it's not really giving me a method that works right out-of-the-box. It looks like the preferred method is The GTUBE. Based on that page it looks like I would use an external mail client, such as Gmail, Yahoo, or anything else besides my local desktop email client - and send mail to myself making sure a specific 68-byte string is in the body of the email. My results have been that Gmail won't send it because their spam filter recognizes it. I've tried Yahoo and they did the same thing. I'm a regular user and I'm trying to apply this to my evolution application. Thanks for any clarification. Marc F. just use spamc and feed a message manually, unless you want to test your MTA, in which case you need to check the manual of your mta. You can as well just send a message to yourself using telnet from your home computer. a properly setup spamfilter will match XBL, no matter the content of your message. Marc F.
Re: How do I Test SpamAssassin
Please don't top-post. It makes it much harder to read. Marc Ferguson wrote: Arvid Ephraim Picciani wrote: just use spamc and feed a message manually, unless you want to test your MTA, in which case you need to check the manual of your mta. You can as well just send a message to yourself using telnet from your home computer. a properly setup spamfilter will match XBL, no matter the content of your message. I am a total newb to spamassassin and some network tools you mentioned so I don't know how to do what you suggested. I looked up spamc and I see it's the client to spamd, but I didn't understand fully what I read. By this I assume that you are using spamassassin directly and not spamc. (That's okay. I use spamassassin directly too. :-) The two are almost the same thing in functionality. In which case you can translate that instruction into feed the message into spamassassin. You can also tell if spamassassin is working by the presence of X-Spam headers in the processed messages. If the header is there then spamassassin is processing the message. If not then it isn't. Besides testing to see if spamassassin is working I wanted to increase the filters. I don't know if i'm saying it right. Mail does go to my junk box but i'd like more mail in my junkbox. I do not have full control over my mail server. Thanks. One very large lever is the Bayes engine. But it needs 200 spam messages and 200 non-spam messages before it will have enough history to add to the scoring. You can see how many messages have been processed using sa-learn like this: sa-learn --dump magic Bob
Re: How do I Test SpamAssassin
On Fri, 2008-05-16 at 22:10 -0600, Bob Proulx wrote: Please don't top-post. It makes it much harder to read. Marc Ferguson wrote: Arvid Ephraim Picciani wrote: just use spamc and feed a message manually, unless you want to test your MTA, in which case you need to check the manual of your mta. You can as well just send a message to yourself using telnet from your home computer. a properly setup spamfilter will match XBL, no matter the content of your message. I am a total newb to spamassassin and some network tools you mentioned so I don't know how to do what you suggested. I looked up spamc and I see it's the client to spamd, but I didn't understand fully what I read. By this I assume that you are using spamassassin directly and not spamc. (That's okay. I use spamassassin directly too. :-) The two are almost the same thing in functionality. In which case you can translate that instruction into feed the message into spamassassin. You can also tell if spamassassin is working by the presence of X-Spam headers in the processed messages. If the header is there then spamassassin is processing the message. If not then it isn't. Besides testing to see if spamassassin is working I wanted to increase the filters. I don't know if i'm saying it right. Mail does go to my junk box but i'd like more mail in my junkbox. I do not have full control over my mail server. Thanks. One very large lever is the Bayes engine. But it needs 200 spam messages and 200 non-spam messages before it will have enough history to add to the scoring. You can see how many messages have been processed using sa-learn like this: sa-learn --dump magic Bob Not top replying is goiing to be a tough thing to get used to. I did the magic dump and this is my result. [EMAIL PROTECTED] ~]$ sa-learn --dump magic 0.000 0 3 0 non-token data: bayes db version 0.000 0 1312 0 non-token data: nspam 0.000 0693 0 non-token data: nham 0.000 0 112435 0 non-token data: ntokens 0.000 0 1180964576 0 non-token data: oldest atime 0.000 0 1210998882 0 non-token data: newest atime 0.000 0 1210992306 0 non-token data: last journal sync atime 0.000 0 0 0 non-token data: last expiry atime 0.000 0 0 0 non-token data: last expire atime delta 0.000 0 0 0 non-token data: last expire reduction count [EMAIL PROTECTED] ~]$ Marc F.