Re: tflags multiple with mimeheader rules
Jeremy Fairbrass [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi all, Can the tflags multiple setting be used with mimeheader rules? Or only with header, body, rawbody, uri, and full tests? Also, where can I find some further info on how tflags multiple should be used - perhaps with an example or two? I can't find anything in the SpamAssassin wiki on this, and the brief description at http://spamassassin.apache.org/full/3.2.x/dist/doc/Mail_SpamAssassin_Conf.html isn't much help either. Cheers, Jeremy Can anybody offer some help?! :) - Jeremy
Google docs spam
Now google docs abuse spam. Spammer is using the docs page with a id from google. Atleast google should have a decent abuse reporting system This mail went by almost clean, Are there any rules I am missing https://ecm.netcore.co.in/tmp/spamgd.txt Thanks Ram
Re: Google docs spam
On Wednesday 21 May 2008 12:12:11 ram wrote: Spammer is using the docs page with a id from google. Atleast google should have a decent abuse reporting s ystem this is new. spammers are fast :( This mail went by almost clean, Are there any rules I am missing https://ecm.netcore.co.in/tmp/spamgd.txt same here. 0.0 points. (without bayes) The spamsource is still not listet anywhere. Reporting to spamcop might be an option. Looks like a czech dialup, i wonder why they are not listet in the PBL. Maybe one can write a rule for those: Received: from [77.48.35.201] (unknown [10.10.1.25]) by smtp-sfn.sitkom.cz (atre there any dnsbls for reserved IPS?) -- best regards Arvid Ephraim Picciani
Re: Google docs spam
On Wednesday 21 May 2008 5:12 am, ram wrote: Now google docs abuse spam. Spammer is using the docs page with a id from google. Atleast google should have a decent abuse reporting system This mail went by almost clean, Are there any rules I am missing https://ecm.netcore.co.in/tmp/spamgd.txt Thanks Ram It scored pretty high here: pts rule name description -- -- 0.0 STOX_REPLY_TYPESTOX_REPLY_TYPE 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.8,ip=202.162.229.17,rdns=mail1.example.com,baddns] 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines 1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.4976] -0.0 DCC_CHECK_NEGATIVE Not listed in DCC [cpollock 1117; Body=1 Fuz1=1 Fuz2=1] 10 CLAMAV Clam AntiVirus detected a virus 1.0 SAGREY Adds 1.0 to spam from first-time senders ClamAv sig is below: X-Spam-Virus: Yes (Email.Spam.Gen3183.Sanesecurity.08051617) -- Chris KeyID 0xE372A7DA98E6705C pgpAos4NAcrRZ.pgp Description: PGP signature
Re: Google docs spam
Chris schrieb: On Wednesday 21 May 2008 5:12 am, ram wrote: Now google docs abuse spam. Spammer is using the docs page with a id from google. Atleast google should have a decent abuse reporting system This mail went by almost clean, Are there any rules I am missing https://ecm.netcore.co.in/tmp/spamgd.txt Thanks Ram It scored pretty high here: pts rule name description -- -- 0.0 STOX_REPLY_TYPESTOX_REPLY_TYPE 5.0 BOTNET Relay might be a spambot or virusbot [botnet0.8,ip=202.162.229.17,rdns=mail1.example.com,baddns] 0.0 UNPARSEABLE_RELAY Informational: message has unparseable relay lines 1.0 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.4976] -0.0 DCC_CHECK_NEGATIVE Not listed in DCC [cpollock 1117; Body=1 Fuz1=1 Fuz2=1] 10 CLAMAV Clam AntiVirus detected a virus 1.0 SAGREY Adds 1.0 to spam from first-time senders ClamAv sig is below: X-Spam-Virus: Yes (Email.Spam.Gen3183.Sanesecurity.08051617) Hi Chris, why not blocking such mails before getting them to spamassassin use clamv-milter at income smtp level with http://www.sanesecurity.co.uk/clamav/ sigs -- Best Regards MfG Robert Schetterer Germany/Munich/Bavaria
dsbl.org dying?
dsbl.org are having problems. it would be nice if people who use it disable it, at least temporarily.
Re: Google docs spam
ram wrote: Now google docs abuse spam. Spammer is using the docs page with a id from google. Atleast google should have a decent abuse reporting system This mail went by almost clean, Are there any rules I am missing https://ecm.netcore.co.in/tmp/spamgd.txt Thanks Ram I am slow. How are they doing this? I couldn't even figure it out looking at the example e-mail.
Re: dsbl.org dying?
Hi! dsbl.org are having problems. it would be nice if people who use it disable it, at least temporarily. We had errors in our monitoring system also due to this last night. The test point was invalid. (2.0.0.127). But i could not reach the site either so... Most likely Ian will respond to this also. Bye, Raymond.
Re: dsbl.org dying?
Raymond Dijkxhoorn wrote: Hi! dsbl.org are having problems. it would be nice if people who use it disable it, at least temporarily. We had errors in our monitoring system also due to this last night. The test point was invalid. (2.0.0.127). But i could not reach the site either so... Most likely Ian will respond to this also. they have a hardware problem. People who can help them are encouraged to. Others should stop queries.
Compiling with tcc, cannot start: segfaults
I chased this around for a while and when I finally determined the
cause, I figured I should post something so that future searchers will
find it.
I have been happily running 3.2.3-0.volatile1 (Debian) for months. Today
I woke up to a lot of Spam in my INBOX, and spamassassin down. It seems
to have died during the cron sa-update process, so I try to start it up
again and I'm unable to start spamd, it segfaults when I do:
Starting SpamAssassin Mail Filter Daemon:
/etc/init.d/spamassassin: line 38: 11186 Segmentation fault
start-stop-daemon --start
--pidfile $PIDFILE --exec $XNAME $NICE --oknodo --startas $DAEMON -- $OPTIONS
$DOPTIONS
Those options come from the Debian initscript, if I unpack them and run
it manually:
# /usr/sbin/spamd OPTIONS=-i -u nobody -A
10.0.1.13,10.0.1.15,10.0.1.17,10.0.1.31,10.0.1.33,10.0.1.44 -q -x
--max-children 50 --helper-home-dir /etc/spamassassin
Segmentation fault
Even without all the options:
# /usr/sbin/spamd
Segmentation fault
In fact, if I try to sa-compile, I get a segfault, if I purge the
3.002003 rules (and their compiled versions), re-run sa-update and then
sa-compile and then try to start spamassassin again, it segfaults
If I strace the process, the end is as follows:
stat64(/var/lib/spamassassin/compiled/3.002003/Mail/SpamAssassin/CompiledRegexps/body_0.pmc,
0xbfa315ac) = -1 ENOENT (No such file or directory)
stat64(/var/lib/spamassassin/compiled/3.002003/Mail/SpamAssassin/CompiledRegexps/body_0.pm,
{st_mode=S_IFREG|0444, st_size=58745, ...}) = 0
open(/var/lib/spamassassin/compiled/3.002003/Mail/SpamAssassin/CompiledRegexps/body_0.pm,
O_RDONLY|O_LARGEFILE) = 7
ioctl(7, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbfa312c8) = -1 ENOTTY
(Inappropriate ioctl for device)
_llseek(7, 0, [0], SEEK_CUR)= 0
read(7, \npackage Mail::SpamAssassin::Com..., 4096) = 4096
read(7, razine\\b/i#,\n q#__DRUGS_DIET5# ..., 4096) = 4096
read(7, SPUR-M\\b/i#,\n q#FB_SSEX# = q#/..., 4096) = 4096
read(7, #,\n q#__FRAUD_WNY# = q#/\\b(?:d..., 4096) = 4096
read(7, SOR# = q#/not a registered inve..., 4096) = 4096
read(7, a stud/i#,\n q#SARE_BETTERORG# =..., 4096) = 4096
read(7, |05 E(?:ast|\\.)? 85th St|10 S\\. ..., 4096) = 4096
read(7, Blvd Suite 200|491 North Federa..., 4096) = 4096
read(7, RE_EN_N_800_5_1# = q#/800\\W+5(?..., 4096) = 4096
read(7, a|an? honest|you being a|to any..., 4096) = 4096
read(7, matter|mutual understanding|rel..., 4096) = 4096
read(7, U_PART_CIA# = q#/(?![\\s\\'-][0-9..., 4096) = 4096
read(7, F X|A B S Y|H L U N|F C Y I|A M..., 4096) = 4096
read(7, q#/\\bbuy\\b.{1,30}\\br(?:[EMAIL PROTECTED]|a..., 4096) = 4096
read(7, {0,40}account .{0,40}record/i#,\n..., 4096) = 1401
brk(0x9c48000) = 0x9c48000
stat64(/var/lib/spamassassin/compiled/3.002003/auto/Mail/SpamAssassin/CompiledRegexps/body_0,
{st_mode=S_IFDIR|0775, st_size=4096, ...}) = 0
stat64(/var/lib/spamassassin/compiled/3.002003/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so,
{st_mode=S_IFREG|0555, st_size=1015528, ...}) = 0
stat64(/var/lib/spamassassin/compiled/3.002003/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.bs,
{st_mode=S_IFREG|0444, st_size=0, ...}) = 0
open(/var/lib/spamassassin/compiled/3.002003/auto/Mail/SpamAssassin/CompiledRegexps/body_0/body_0.so,
O_RDONLY) = 8
read(8, \177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340\\\0...,512) = 512
fstat64(8, {st_mode=S_IFREG|0555, st_size=1015528, ...}) = 0
mmap2(NULL, 1018080, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 8,0) =
0xb77a8000
mmap2(0xb789, 69632, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 8, 0xe7) = 0xb789
mprotect(0xbfa31000, 4096,
PROT_READ|PROT_WRITE|PROT_EXEC|PROT_GROWSDOWN) = 0
close(8)= 0
mprotect(0xb77a8000, 950272, PROT_READ|PROT_WRITE) = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++
Process 16329 detached
So what was the cause? It turned out, I was trying to be smart and save
disk space by installing the 'tcc' compiler on all of our spam
processing servers. 'tcc' is known as 'the tiny C compiler', its small,
fast and ANSI C compliant. Its somewhat experimental, and as such when I
replaced it with gcc, blew away my compiled rules and re-ran sa-compile,
things were able to start up again fine.
Micah
Re: dsbl.org dying?
mouss writes: Raymond Dijkxhoorn wrote: Hi! dsbl.org are having problems. it would be nice if people who use it disable it, at least temporarily. We had errors in our monitoring system also due to this last night. The test point was invalid. (2.0.0.127). But i could not reach the site either so... Most likely Ian will respond to this also. they have a hardware problem. People who can help them are encouraged to. Others should stop queries. have you got a reference for that? all dsbl.org says is Since the removal mechanism is offline now, the zone files have been temporarily emptied. Nothing about stopping querying. --j.
How to use private rules?
Hello, I am ongoing to install a new server for (currently) 43 users with apache2, postgresql 8.2, courier, clamav-ng and spamassassin. Since the resources are very limited, the inbound MTA check only zen.spamhaus.org and then let the $USER choose what to do. Because an experience from last Friday where I have hit the limits of my hosting providers mailserver (over 4000 messages stuck in the queue) I lock already the ~/.promailrc to let only one message after one processing per $USER. So with spamassassin I have now a problem, since if called with +---[ ~/.procmailrc ]-- snip | :0 | * 25 | .ATTENTION.big_messages/ | | :0fw | * 25 | |/usr/bin/spamc snip +--- I can not use private rules and if I call it with :0fw * 25 |/usr/bin/spamassassin incoming batch-spam can kill the server which must be responsible under any circumstands... How can I solv this problem? Note: Some of the $USER have tonns of custom rules and since they are working for them, they wan to use it... :-) Thanks, Greetings and nice Day Michelle Konzack Systemadministrator 24V Electronic Engineer Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # Michelle Konzack Apt. 917 ICQ #328449886 +49/177/935194750, rue de Soultz MSN LinuxMichi +33/6/61925193 67100 Strasbourg/France IRC #Debian (irc.icq.com) signature.pgp Description: Digital signature
Re: How to use private rules?
Michelle Konzack wrote: Because an experience from last Friday where I have hit the limits of my hosting providers mailserver (over 4000 messages stuck in the queue) I lock already the ~/.promailrc to let only one message after one processing per $USER. You are serializing now? Or you wish to serialize? | :0fw | * 25 | |/usr/bin/spamc Not serialized. No lock file. Processing may occur in parallel. incoming batch-spam can kill the server which must be responsible under any circumstands... How can I solv this problem? If you want to serialize mail processing to cap the machine load you could use a procmail lockfile to only process one message at a time. :0fw:spamc.lock * 25 |/usr/bin/spamc That would prevent your machine from being overloaded with large batches of incoming mail. Message processing would be serialized one at a time. Bob
Re: Google docs spam
On Wed, May 21, 2008 13:48, Robert Schetterer wrote: Hi Chris, why not blocking such mails before getting them to spamassassin use clamv-milter at income smtp level with http://www.sanesecurity.co.uk/clamav/ sigs its not as virus, its spam detected in clamav, virus do something ! Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: dsbl.org dying?
On May 21, 2008, at 10:01 AM, mouss wrote: dsbl.org are having problems. it would be nice if people who use it disable it, at least temporarily. I asked about this on the spamtools list on the 12th to deafening silence. On that day, if you were to look at their status page, http://dsbl.org/nsstatus , you would have seen half of their DNS primaries listed as broken. Today I see page not found with a generic drupal error message. Not looking promising if you ask me. Time to stop using it, as far as I am concerned.
Re: MailChannels Traffic Control (fwd)
May I suggest that you redo your research? BarricadeMX has no feature at all that even attempts to address the issue MailChannels is addressing, ie slowing down the TCP channel. On May 20, 2008, at 10:32 AM, Koopmann, Jan-Peter wrote: Why is everyone willing to skip doing 5 minutes of research? I did. Mailchannels idea may not work for you. But it's worth doing a bit of research. Oh the idea is nice. But there are others out there that - from my personal perspective - are doing this stuff much better, at least from what I can tell. See BarricadeMX from Fort Systems Ltd. FYI: again, not affiliated and we're not using it either. But the product is very well designed and it's a lot more clever/useful than anything you're comparing it to. I compare it to BarricadeMX and as I said, I think it is not so clever. Personal opinion. Regards, JP -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: MailChannels Traffic Control (fwd)
give longer greylist times will do without marketing :-) It will slow down real user's mail a lot too. On May 20, 2008, at 3:58 PM, Benny Pedersen wrote: real mail servers is 1: known 2: can be bypassed in greylist on that fact #1 Both of these are addressed by Mailchannels. But what to do when an unknown mail server contacts you is different in the approach. greylist effectiveness is down to less than 10% effective at this point, because the botnets know to retry now. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: MailChannels Traffic Control (fwd)
On May 20, 2008, at 10:51 AM, mouss wrote: Jo Rhett wrote: mouss, please do a little research I did. I may get things wrong, and would be pleased to get corrected. so please share your knowledge. All I'm saying is that you're comparing what they are doing to things which are not similar, then accusing them of doing no research. before you go online attacking people. if discussion is considered as an attack, ... Look at your posts and your wording and you'll see. There is no such statement in my post. or do you consider I don't see..., it looks to me..., I don't know for others, as statements? I confess that english is not my native language, but I try hard ;-p You didn't use those when you made the accusations in question. calm down. I apologize if I sounded like attacking your business or friends. That was not my intent. I'm calm, and I don't much care about this topic at all. But I spend a lot of time helping people disambiguate statements like these from well-researched opinions, so I try to flag them when I see them so that someone else reading the thread will know that this isn't the overall impression of the list -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: MailChannels Traffic Control (fwd)
On Wed, 21 May 2008, Jo Rhett wrote: greylist effectiveness is down to less than 10% effective at this point, because the botnets know to retry now. Also consider that greylisting will allow URIBLs time to update even if all spambots implement retry and thus negate the _original_ intent of greylisting... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Liberals love sex ed because it teaches kids to be safe around their sex organs. Conservatives love gun education because it teaches kids to be safe around guns. However, both believe that the other's education goals lead to dangers too terrible to contemplate. --- Today: the 4th anniversary of SpaceshipOne winning the X-prize
Re: can we make AWL ignore mail from self to self?
On May 20, 2008, at 1:07 PM, Justin Mason wrote: 1. How does AWL deal with forgery (other than by saving a /16 of the source IP) No other way. What's wrong with saving a /16? In my experience it's worked pretty well for the past few years... Seems to. I can logically think of ways it would/should break (ie public wireless networks) but I haven't seen any real problems until now, and the problem is specific to self-self. My comment was only because Matt kept insisting that AWL prevents forgery... 2. How can I easily see the AWL database for a given destination address? tools/check_whitelist Where can I find this? It's not in the Mail-SpamAssassin tarfile... -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: dsbl.org dying?
Justin Mason wrote: mouss writes: Raymond Dijkxhoorn wrote: Hi! dsbl.org are having problems. it would be nice if people who use it disable it, at least temporarily. We had errors in our monitoring system also due to this last night. The test point was invalid. (2.0.0.127). But i could not reach the site either so... Most likely Ian will respond to this also. they have a hardware problem. People who can help them are encouraged to. Others should stop queries. have you got a reference for that? all dsbl.org says is Since the removal mechanism is offline now, the zone files have been temporarily emptied. Nothing about stopping querying. http://www.dnsbl.com/
Re: can we make AWL ignore mail from self to self?
Jo Rhett wrote: Matt, how can I possibly get you to move past this unfounded assumption that my trust path is broken and focus on the real problem? The trust path is not broken, it's just fine. On May 20, 2008, at 5:47 PM, Matt Kettler wrote: Ok, then the AWL code is *SEVERELY* bugged. The question then becomes why isn't the source address part of the AWL working properly. I'm not sure I know this or can agree. I'm fairly sure its orthagonal, but I may be wrong. That IP range is what would detect the forgeries, or at least give the forgeries a different AWL entry than email you really sent yourself. I only send mail to myself from my wireless provider or open WiFi networks. e.g. note to self while I am on the road. The source IPs are different, so your real self-to-self should be handled independently, with a completely separate AWL entry, from the spammer forged self-to-self. You're assuming I use the same source IP when I send myself mail, and that just isn't true. Or that you receive e-mail from the very same public wireless and/ or phone providers as everyone else does. My trust path doesn't have to be broken if the networks used to send the e-mail are public networks. (if you can laugh == welcome to the 21st century and the Crackberry/Treo/iPhone) Not trying to be snide. If you're using any kind of forwarder, including crackberry, their servers should be trusted by you so that SA's checks get applied to the mailserver that dropped mail off at them. That's the purpose of the trust path, to allow you to trust the headers of those systems receiving mail on your behalf and forwarding it to you. I'm not -- my Treo delivers mail directly to my mail server. From DHCP-assigned addresses all over the world. I enjoy travel ;-) I'd also like to point out that no provider is willing to share their server lists openly and consistently enough for this to occur. We have to put crackberry users in their own domain because we use SPF on the main domains and crackberry keeps changing their servers. no provider == crackberry, verizon, sprint, etc... the wireless providers who intercept outbound mail. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: MailChannels Traffic Control (fwd)
On May 21, 2008, at 11:37 AM, John Hardin wrote: Also consider that greylisting will allow URIBLs time to update even if all spambots implement retry and thus negate the _original_ intent of greylisting... The negative effects of greylisting outweight the positive. As a provider who needs to receive timely problem reports from our customers, greylisting was impossible for us to use. Comparing spam catches for greylisting against my personal domains where I could use greylisting (but all other rulesets being equal) I found that less spam was caught by SA and the overall load was somewhat reduced, but the amount of spam reaching the mailbox remained the same. Over time the load difference reversed as the spambots started doing retries (often 5-10 within 2 minutes) and the amount of spam reaching the mailbox remained the same. Greylisting became a penalty, so I disabled it. Again, without changing the amount of spam reaching my mailbox. MailChannel's implementation solves all of the problems we had with greylisting, while also hitting the botnets where it hurts. It appears to be a great idea. I need to figure out how to implement it without breaking our internal auth schemes, but I will be doing so. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: dsbl.org dying?
On Wed, 21 May 2008 at 14:26 -0400, [EMAIL PROTECTED] confabulated: On May 21, 2008, at 10:01 AM, mouss wrote: dsbl.org are having problems. it would be nice if people who use it disable it, at least temporarily. I asked about this on the spamtools list on the 12th to deafening silence. On that day, if you were to look at their status page, http://dsbl.org/nsstatus, you would have seen half of their DNS primaries listed as broken. Today I see page not found with a generic drupal error message. Not looking promising if you ask me. Time to stop using it, as far as I am concerned. I stopped using the list a few months ago. Rejections based on the list was at ~0.06% of the total number of RBL rejections. The figures were ~3.7 million total RBL rejections to ~2,500 dsbl.org rejections. It my eyes, the list was not worth keeping around when the server(s) are handling over seven(7) million messages per day.
Re: Experimental - use my server for your high fake MX record
On May 7, 2008, at 9:17 AM, mouss wrote: what if he comes back later to the same MX, again and again (AFAIK, this is the case with qmail)? mail will be lost. snarky comment Good. Time for qmail to die ;-) /snarky comment -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
AW: Re: MailChannels Traffic Control (fwd)
It sure can and we are using that feature. It adresses all (!) features MailChannel claims to address on the webpage and more. Sure it is I who has to do the researching? Moreover BMX can do quite a lot of what you describe without having to slow down the TCP channel too much thereby freeing up ressources. But honestly I do not think this leads to anything. You obiously like their product and some of us fail to understand what is so special about it. Use it and be happy. I am more than fine with that. But please do not accuse me or others of not doing research if you are not sure. I did quite a bit of research and even asked for more information (which has not been provided yet). I have not said it lacks feature x while you incorrectly claim lacking features of other products. Regards JP -- Urspr. Mitt. -- Betreff: Re: MailChannels Traffic Control (fwd) Von: Jo Rhett[EMAIL PROTECTED] Datum: 21.05.2008 20:31 May I suggest that you redo your research? BarricadeMX has no feature at all that even attempts to address the issue MailChannels is addressing, ie slowing down the TCP channel.
Re: AW: Re: MailChannels Traffic Control (fwd)
On May 21, 2008, at 11:56 AM, Koopmann, Jan-Peter wrote: It sure can and we are using that feature. It adresses all (!) features MailChannel claims to address on the webpage and more. Sure it is I who has to do the researching? I read every document on their website, and saw zero mentions of this feature. I can't research it further without getting the product here to test, and I'm not suggesting that everyone do this -- just that everyone read the information available. Moreover BMX can do quite a lot of what you describe without having to slow down the TCP channel too much thereby freeing up ressources. But honestly I do not think this leads to anything. Look at testing results. Try it out. It's been 99% effective against the botnets on a test system I enabled. But please do not accuse me or others of not doing research if you are not sure. I did quite a bit of research and even asked for more information (which has not been provided yet). I have not said it lacks feature x while you incorrectly claim lacking features of other products. People said specifically that mailchannels was doing nothing more than qmail does which is clearly not true with even some basic reading. This clearly indicates a lack of research. I accept your accusation about my research IF you can please point me to a document on FSL's website which addresses slowing down TCP sessions. I can't find it. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: dsbl.org dying?
D Hill wrote: On Wed, 21 May 2008 at 14:26 -0400, [EMAIL PROTECTED] confabulated: On May 21, 2008, at 10:01 AM, mouss wrote: dsbl.org are having problems. it would be nice if people who use it disable it, at least temporarily. I asked about this on the spamtools list on the 12th to deafening silence. On that day, if you were to look at their status page, http://dsbl.org/nsstatus, you would have seen half of their DNS primaries listed as broken. Today I see page not found with a generic drupal error message. Not looking promising if you ask me. Time to stop using it, as far as I am concerned. I stopped using the list a few months ago. Rejections based on the list was at ~0.06% of the total number of RBL rejections. The figures were ~3.7 million total RBL rejections to ~2,500 dsbl.org rejections. It my eyes, the list was not worth keeping around when the server(s) are handling over seven(7) million messages per day. my numbers are even less than yours... (and on different networks/companies, so it's not just my mail). This make me think that it won't survive. dsbl was good at the time, but nowadays, most spam comes from zombies and networks that don't get listed per dsbl policy/mechanisms.
AW: Re: AW: Re: MailChannels Traffic Control (fwd)
I read every document on their website, and saw zero mentions of this feature. I can't research it further without getting the product here to test, and I'm not suggesting that everyone do this -- just that everyone read the information available. http://www.snertsoft.com/smtp/smtpf/ Look at testing results. Try it out. It's been 99% effective against the botnets on a test system I enabled. Test results are nice to read but thats it. Moreover: how fast? How expensive? What about clustering? 99% effective with how many false positives etc. Does it fight backscatter? What I am saying is that there is more to it than this one figure. But please do not accuse me or others of not doing research if you are not sure. I did quite a bit of research and even asked for more information (which has not been provided yet). I have not said it lacks feature x while you incorrectly claim lacking features of other products. People said specifically that mailchannels was doing nothing more than qmail does which is clearly not true with even some basic reading. This clearly indicates a lack of research. People: maybe. I did not do so. So if you want to accuse them, go ahead but leave me out of this loop. Please provide a link which describes what exactly they are doing. The things I could find justify peoples statements a bit since most of what I read can indeed be done with standard MTAs. Then they use a reputation network (in the commercial version only?) so they do not have to do the interesting tests themselve on the box. If I failed to see the magic of the product please enlighten me and please apologize. I accept your accusation about my research IF you can please point me to a document on FSL's website which addresses slowing down TCP sessions. I can't find it. See above. From memory. Detailed description of all tests, options, error messages etc.
Re: AW: Re: MailChannels Traffic Control (fwd)
Jo Rhett wrote: On May 21, 2008, at 11:56 AM, Koopmann, Jan-Peter wrote: It sure can and we are using that feature. It adresses all (!) features MailChannel claims to address on the webpage and more. Sure it is I who has to do the researching? I read every document on their website, and saw zero mentions of this feature. if you can't find the docs that others have read, and still accuse them of lack of research, there is a word for this: ridiculous. I can't research it further without getting the product here to test, and I'm not suggesting that everyone do this -- just that everyone read the information available. before suggesting what others should do, try improving your search and navigation skills. (I am serious here. I am sure you will thank me in few years). Moreover BMX can do quite a lot of what you describe without having to slow down the TCP channel too much thereby freeing up ressources. But honestly I do not think this leads to anything. Look at testing results. Try it out. It's on the pile. as soon as I finish testing the pills and the diplomas, I'll get my lottery gains, and I'll try your product :) It's been 99% effective against the botnets on a test system I enabled. 99%? numbers out of context are only useful for politicians and marketers. Both have no (good) place on this list. humour Please stop pissing on the carpet :) /humour But please do not accuse me or others of not doing research if you are not sure. I did quite a bit of research and even asked for more information (which has not been provided yet). I have not said it lacks feature x while you incorrectly claim lacking features of other products. People said specifically that mailchannels was doing nothing more than qmail does which is clearly not true with even some basic reading. This clearly indicates a lack of research. who ever spoke of qmail here? I accept your accusation about my research IF you can please point me to a document on FSL's website which addresses slowing down TCP sessions. I can't find it. and this is the guy who is trying to teach me research? - try searching their web site for a document that contains this: MailChannels has developped ... SLOW email traffic ... on their site. (the capitals in SLOW are mine). - try searching for the 2007 MIT conference paper by Ken Thomson. I don't know if you can still access it for free. but if you're serious about research, you can order the proceedings. - try getting a friend to read this for you: http://blog.mailchannels.com/2008/02/spammers-are-less-patient-than.html - or maybe you'll have more chances with http://en.wikipedia.org/wiki/Tarpit_%28networking%29 humour on some pages cited above, you may need to scroll to the bottom. if you don't know what scroll means, try asking your friends and family /humour
Re: MailChannels Traffic Control (fwd)
Jo Rhett wrote: On May 20, 2008, at 10:51 AM, mouss wrote: Jo Rhett wrote: mouss, please do a little research I did. I may get things wrong, and would be pleased to get corrected. so please share your knowledge. All I'm saying is that you're comparing what they are doing to things which are not similar, then accusing them of doing no research. you are confusing me with someone else. I never accused anyone of doing no research. before you go online attacking people. if discussion is considered as an attack, ... Look at your posts and your wording and you'll see. I did. still nothing. There is no such statement in my post. or do you consider I don't see..., it looks to me..., I don't know for others, as statements? I confess that english is not my native language, but I try hard ;-p You didn't use those when you made the accusations in question. do you actually read posts you reply to? calm down. I apologize if I sounded like attacking your business or friends. That was not my intent. I'm calm, and I don't much care about this topic at all. But I spend a lot of time helping people disambiguate statements like these from well-researched opinions, so I try to flag them when I see them so that someone else reading the thread will know that this isn't the overall impression of the list you'd better take time learning what research is. and yes, I'm calm too. I'm even laughing...
Re: Experimental - use my server for your high fake MX record
Jo Rhett wrote: On May 7, 2008, at 9:17 AM, mouss wrote: what if he comes back later to the same MX, again and again (AFAIK, this is the case with qmail)? mail will be lost. snarky comment Good. Time for qmail to die ;-) /snarky comment start by updating the RFCs.
Re: AW: Re: MailChannels Traffic Control (fwd)
mouss wrote: [snip] I accept your accusation about my research IF you can please point me to a document on FSL's website which addresses slowing down TCP - sessions. I can't find it. and this is the guy who is trying to teach me research? - try searching their web site for a document that contains this: MailChannels has developped ... SLOW email traffic ... on their site. (the capitals in SLOW are mine). [snip] Can't you read? He said documentation on BarricadeMX, you answer with more of your dumb messages. -- René Berber
Re: Experimental - use my server for your high fake MX record
mouss wrote: Jo Rhett wrote: On May 7, 2008, at 9:17 AM, mouss wrote: what if he comes back later to the same MX, again and again (AFAIK, this is the case with qmail)? mail will be lost. snarky comment Good. Time for qmail to die ;-) /snarky comment start by updating the RFCs. Qmail only has a problem with lowest numbered MX getting a 4xx. It works fine with the highest numbered MX with 4xx.
Re: How to output Debugged Lint to file
[quote] Does it actually read the files in the update channel dirs? Something like this, below the point where the debugging output has been snipped. [/quote] Yes I think it does - the relevant output is below. [5153] dbg: config: fixed relative path: /var/lib/spamassassin/3.002002/sought_rules_yerp_org/20_sought.cf [5153] dbg: config: using /var/lib/spamassassin/3.002002/sought_rules_yerp_org/20_sought.cf for included file [5153] dbg: config: read file /var/lib/spamassassin/3.002002/sought_rules_yerp_org/20_sought.cf Regards, Kate Karsten Bräckelmann wrote: On Thu, 2008-05-15 at 10:46 +1200, Kathryn Kleinschafer wrote: I run the update via a crontab entry (set when logged in as root) how do I specify who its done by and what the umask is? Edit the crontab as the user you want it to be run. Alternatively, have a look at 'man crontab'. spamassassin is run by postfix user - all this part of the setup should be fine as I haven't played with the config files and it had all been running well. I run the test as user postfix to ensure I get the same results as when the automatic tests run. David B Funk wrote: Also look to see what User-ID your SA filtering process runs as and then check to see if there are some parts of your SA setup or your Perl installation that aren't properly readable/usable by that User-ID. (for example, if an update was done as 'root' with a umask of 077 then the installed rules/updates would not be useable by anybody else). The debug output pasted earlier seems to hint that the updates are at least readable, I believe. Though the debug output only showed a tiny fraction of the very first part: dbg: config: read file /var/lib/spamassassin/3.00x00y/sought_rules_yerp_org.cf Does it actually read the files in the update channel dirs? Something like this, below the point where the debugging output has been snipped. dbg: config: read file /var/lib/spamassassin/3.00x00y/sought_rules_yerp_org/20_sought.cf guenther
Re: How to output Debugged Lint to file
Karsten Bräckelmann wrote: On Thu, 2008-05-15 at 10:01 +1200, Kathryn Kleinschafer wrote: I run sa-update from the crontab daily which I believe should update the rules. (i'm relatively new to this so could have it completely wrong) The command I use in crontab is 00 01 * * * sa-update --allowplugins --channelfile Any reason for the non-default --allowplugins? One of the channels - Open Protect required it If you use SA versions 3.2.0 or above, use the following command: *sa-update --allowplugins --gpgkey D1C035168C1EBC08464946DA258CDB3ABDE9DC10 --channel saupdates.openprotect.com*, /etc/mail/spamassassin/update-channels.txt --gpgkeyfile /etc/mail/spamassassin/gpgkeys.txt and in the update-channels.txt I have sought.rules.yerp.org saupdates.openprotect.com updates.spamassassin.org You do have all GPG keys in gpgkeys.txt, do you? Yes - do they need to be in any specific order? update channels file sought.rules.yerp.org saupdates.openprotect.com updates.spamassassin.org gpgkey file 6C6191E3 D1C035168C1EBC08464946DA258CDB3ABDE9DC10 We were getting this same spam a month or so ago and it was all getting stopped but now its not thats why i'm very worried I have broken my spamassassin. Does URIBL_BLACK come default with spamassassin? Yes. Now, please re-read my previous posts, and answer the questions. If it helps to do so, feel free to answer inline, placing answers directly below the question. guenther
Re: AW: Re: MailChannels Traffic Control (fwd)
René Berber wrote: [snip] Can't you read? He said documentation on BarricadeMX, No problem, search for Slow Replies in the 2.0 release notes. you answer with more of your dumb messages. Can we kill this thread now?
Re: Experimental - use my server for your high fake MX record
Marc Perkel wrote: mouss wrote: Jo Rhett wrote: On May 7, 2008, at 9:17 AM, mouss wrote: what if he comes back later to the same MX, again and again (AFAIK, this is the case with qmail)? mail will be lost. snarky comment Good. Time for qmail to die ;-) /snarky comment start by updating the RFCs. Qmail only has a problem with lowest numbered MX getting a 4xx. It works fine with the highest numbered MX with 4xx. do you have a pointer for this? AFAIK, it sticks on 4xx independently of the priority.
Re: How to output Debugged Lint to file
On Thu, May 22, 2008 at 09:57:49AM +1200, Kathryn Kleinschafer wrote: Any reason for the non-default --allowplugins? One of the channels - Open Protect required it If you use SA versions 3.2.0 or above, use the following command: *sa-update --allowplugins --gpgkey D1C035168C1EBC08464946DA258CDB3ABDE9DC10 --channel saupdates.openprotect.com*, That doesn't mean they require it, that just means they told you to use it. It also means you open yourself up to possible security attacks, which is why it's disabled by default. I'm not saying it's bad if you trust the channel to not screw you, but ... -- Randomly Selected Tagline: Where's Roxanne? Not here today... She might have a lab... Those poor Calc. 2 kids ... - Prof. Farr pgpKN1QhnfYGR.pgp Description: PGP signature
Re: AW: Re: AW: Re: MailChannels Traffic Control (fwd)
On May 21, 2008, at 12:34 PM, Koopmann, Jan-Peter wrote: I read every document on their website, and saw zero mentions of this feature. I can't research it further without getting the product here to test, and I'm not suggesting that everyone do this -- just that everyone read the information available. http://www.snertsoft.com/smtp/smtpf/ Okay, this link wasn't available to me. I googled the term you provided and only found the FLS site. They had no links to this data. Next time you want to suggest that someone didn't research, you should be explicit with your links. Test results are nice to read but thats it. Moreover: how fast? How expensive? What about clustering? 99% effective with how many false positives etc. Does it fight backscatter? What I am saying is that there is more to it than this one figure. As afar as the slowdown is concerned, there aren't false positives. Read the text! People: maybe. I did not do so. So if you want to accuse them, go ahead but leave me out of this loop. Please provide a link which describes what exactly they are doing. The things I could find justify peoples statements a bit since most of what I read can indeed be done with standard MTAs. Then they use a reputation network (in the commercial version only?) so they do not have to do the interesting tests themselve on the box. If I failed to see the magic of the product please enlighten me and please apologize. Apologize for what? The top-level links on the website provided the information you claim isn't there. It's not stored on some other website nobody has named ... I accept your accusation about my research IF you can please point me to a document on FSL's website which addresses slowing down TCP sessions. I can't find it. See above. From memory. Detailed description of all tests, options, error messages etc. Your memory wasn't laid out to anyone else. Lacking your memory in my search pool, I used Google. I'm tired of wasting time with this pointless conversation. Just stop making authoritative statements about products you haven't researched. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: MailChannels Traffic Control (fwd)
On May 21, 2008, at 1:19 PM, mouss wrote: All I'm saying is that you're comparing what they are doing to things which are not similar, then accusing them of doing no research. you are confusing me with someone else. I never accused anyone of doing no research. http://www.gossamer-threads.com/lists/spamassassin/users/121113 5 message down is you. Look at your posts and your wording and you'll see. I did. still nothing. See above. You didn't use those when you made the accusations in question. do you actually read posts you reply to? Read your own mail folder, I quoted you at the time. It's also all on the thread above if you can't find it in your trash folder. I'm calm, and I don't much care about this topic at all. But I spend a lot of time helping people disambiguate statements like these from well-researched opinions, so I try to flag them when I see them so that someone else reading the thread will know that this isn't the overall impression of the list you'd better take time learning what research is. now we're down to insults. *plonk* -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: How to output Debugged Lint to file
Theo Van Dinter wrote: On Thu, May 22, 2008 at 09:57:49AM +1200, Kathryn Kleinschafer wrote: Any reason for the non-default --allowplugins? One of the channels - Open Protect required it If you use SA versions 3.2.0 or above, use the following command: *sa-update --allowplugins --gpgkey D1C035168C1EBC08464946DA258CDB3ABDE9DC10 --channel saupdates.openprotect.com*, That doesn't mean they require it, that just means they told you to use it. It also means you open yourself up to possible security attacks, which is why it's disabled by default. I'm not saying it's bad if you trust the channel to not screw you, but ... Hmmm when you put it like that i might take that bit out. thanks
Re: AW: Re: MailChannels Traffic Control (fwd)
On May 21, 2008, at 1:08 PM, mouss wrote: I read every document on their website, and saw zero mentions of this feature. if you can't find the docs that others have read, and still accuse them of lack of research, there is a word for this: ridiculous. There's nothing on that site. It's on another site nobody mentioned. It's not my job to find all references. And I'm not saying people should find *ALL* references, I'm saying that people should taking 1-2 minutes to read what the person is actually suggesting/implementing, rather than disregarding the product/idea/whatever publically without any clear understanding of what it does. before suggesting what others should do, try improving your search and navigation skills. (I am serious here. I am sure you will thank me in few years). *snip other insults* Lose the attitude. I was suggesting people actually read what's right in front of them, not even asking that they search around. Your insults are irrelevant to the topic here, and I won't put up with it. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: AW: Re: MailChannels Traffic Control (fwd)
On May 21, 2008, at 3:18 PM, mouss wrote: Can't you read? He said documentation on BarricadeMX, No problem, search for Slow Replies in the 2.0 release notes. And Mailchannels isn't implementing slow replies. That's what I'm trying to say. It is slowing the TCP session, not slowing the responses. Bots already deal with slow replies, it's non-effective. -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: Experimental - use my server for your high fake MX record
On May 21, 2008, at 1:44 PM, mouss wrote: Good. Time for qmail to die ;-) start by updating the RFCs. The RFCs are, and have always been clear on how MX records are supposed to be used. Are you just a nonsense machine? The SA list's personal eliza run through the borker? -- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness
Re: AW: Re: MailChannels Traffic Control (fwd)
On Wed, 21 May 2008, Jo Rhett wrote: Your insults are irrelevant to the topic here, and I won't put up with it. ...I thought you plonk'd him? :) -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- A well educated Electorate, being necessary to the liberty of a free State, the Right of the People to Keep and Read Books shall not be infringed. --- Today: the 4th anniversary of SpaceshipOne winning the X-prize
Re: Experimental - use my server for your high fake MX record
Jo Rhett wrote: On May 7, 2008, at 9:17 AM, mouss wrote: what if he comes back later to the same MX, again and again (AFAIK, this is the case with qmail)? mail will be lost. snarky comment Good. Time for qmail to die ;-) /snarky comment Agreed. Qmail should die!
Re: Around the web what particular link explains the ins and outs specifically about the asterisks used in the headers?...
On 19 May 2008, Theo Van Dinter said: [Don talking about `asterisks'] What are you talking about? I *think* he's talking about default score thresholds. -- `If you are having a ua luea luea le ua le kind of day, I can only assume that you are doing no work due [to] incapacitating nausea caused by numerous lazy demons.' --- Frossie
Re: can we make AWL ignore mail from self to self?
On 21 May 2008, Jo Rhett stated: On May 20, 2008, at 1:07 PM, Justin Mason wrote: 2. How can I easily see the AWL database for a given destination address? tools/check_whitelist Where can I find this? It's not in the Mail-SpamAssassin tarfile... It's in SVN. -- `If you are having a ua luea luea le ua le kind of day, I can only assume that you are doing no work due [to] incapacitating nausea caused by numerous lazy demons.' --- Frossie
RE: dsbl.org dying?
From: mouss http://www.dnsbl.com/ I have never paid attention to it so... questions.. Was dsbl.org widely used? In general, is it considered a major and necessary dnsbl tool for the war against spam? Does anyone have any idea how much sustained bandwidth in and out that it took to run the main dsbl.org host? Just wondering if it might be worth throwing an some cold spare commercial server hardware we have laying around at it... - rh
