Re: WrongMX plugin
On 02.08.08 13:10, Daryl C. W. O'Shea wrote: Sorry for the huge delay in responding... Better than not at all... On 30.05.08 11:46, Matus UHLAR - fantomas wrote: I was also thinking about modifying it to be allowed to hit more times with different scores for smaller time differences (resulting would be sum of all matched). Any opinions? Here I've meant two or more different rules for different delays, e.g. 30s, 5min and see the results. since nobody replied, I installed it, but it does not produce anything. Could you please check if it still should work? Sorry for bugging. It works, I only need to find a way for using the current recipient. I'm not sure what it is you are wanting to do. I found out that WRONGMX currently hits on our company's mailservers only when the original recipient is in To:, for messages forwarded from other domains, when they were delivered through backup MX for those domains. So, it actually hits correctly, but not when mail is delivered through our backups, and we only get ~5 hits per day, while many spams go through our MXes. I guess the problem may lie in lack of knowledge of who current recipient really is, as we don't (want to) add X-Envelope-To: header unless the mail goes to wildcard addresses). I tried to spcify recipient to spamc using -u option, did not help... It also may be in setup of our mailservers (primary MX is behind loadbalancer, mail is directed onto mailhub.nextra.sk, but mailservers' names are mailhub[1-4].nextra.sk). Does this matter? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...
Increase in Mailer-daemon spam
Hi, Anyone else experience more mailer-daemon spam lately? I am happy Justin his rules match these perfectly, but bayes isn't hitting these yet. /Jeroen
Re: Subject line still getting changed
On 02.08.08 23:31, Rob Sharp wrote: I have an email account on a shared server at Hostgator. I have configured SpamAssassin via their Cpanel interface not to rewrite the subject line when flagging an item as spam. However, this flagging still seems to be happening. All messages that SA determines as spammy has [SPAM] prefixed to the subject line. there's header rewriting set up somwehere. I have manually overridden report_safe to 0. That's a different parameter. Can someone please tell me what other directives control the subject line rewriting? search config files (system and user's) for rewrite_header option. X-Spam-Checker-Version says version=3.3.0-r613124 , however, that seems like a newer version that currently available on the SA website!?!? a beta probably... -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. REALITY.SYS corrupted. Press any key to reboot Universe.
Re: Sa-update failures? Yerp AND kluge Offline? DOS?
There was a message recently posted saying that Yerp was being taken offline for a server move. Rob Michael Scheidell wrote: Didn't think too much of seeing this in every SA box log last night, just thought maybe yerp.org offline. Running 350.sa-update http: request failed: 500 Can't connect to yerp.org:80 (connect: Invalid argument): 500 Can't connect to yerp.org:80 (connect: Invalid argument) channel: could not find working mirror, channel failed http: request failed: 500 Can't connect to yerp.org:80 (connect: Invalid argument): 500 Can't connect to yerp.org:80 (connect: Invalid argument) Tested it, yep, off line: telnet yerp.org 80 Trying 72.232.31.42... telnet: connect to address 72.232.31.42: Connection refused telnet: Unable to connect to remote host But, then saw this in a couple of them and thought this was too weird. Concentrated DOS attack against the saupdate channel servers? http: request failed: 500 Can't connect to spamassassin.kluge.net:80 (connect: timeout): 500 Can't connect to spamassassin.kluge.net:80 (connect: timeout) While looking up information on taint.org, got it offline also. (well, its the same box ;) telnet taint.org 80 Trying 72.232.31.42... telnet: connect to address 72.232.31.42: Connection refused telnet: Unable to connect to remote host Looks fine now, and sa-update -D doesn't show any missing updates available.
Re: Subject line still getting changed
Thanks for the reply. Matus UHLAR - fantomas wrote: All messages that SA determines as spammy has [SPAM] prefixed to the subject line. there's header rewriting set up somwehere. My Host just told me to add rewrite_subject 0 into my user_prefs. I think they actually mean rewrite_header. I've just added it, and now need to wait for a spammy message to arrive to give it a test. I have manually overridden report_safe to 0. That's a different parameter. I thought I'd mention it since it was the only thing I had changed from the default and didnt know if it had any bearing. Rob
Re: Subject line still getting changed
On 04.08.08 11:47, Rob Sharp wrote: Thanks for the reply. Matus UHLAR - fantomas wrote: All messages that SA determines as spammy has [SPAM] prefixed to the subject line. there's header rewriting set up somwehere. My Host just told me to add rewrite_subject 0 into my user_prefs. I think they actually mean rewrite_header. I've just added it, and now need to wait for a spammy message to arrive to give it a test. rewrite_subject was an option in 2.x I think. see Mail::SpamAssassin::Conf for rewrite_header options -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Enter any 12-digit prime number to continue.
Lottery spam in my inbox
Hi frnds. How is it possible that these kind of mail are not spam tagged my sapmassassin... CONGRATULATION YOU HAVE WON 850.000.POUNDS(REPLY TO [EMAIL PROTECTED]) ftp://195.169.149.102/tt/WON.txt YOUR REF:CLAIMS/ATM/822 . ftp://195.169.149.102/tt/ATM.txt please help me out... Thanks Nitin Bhadauria
What is current version of Botnet plugin?
I've found Botnet 0.6 and references to Botnet 0.8(ebuild). What's the preferred version for this plugin?
iXhash plugin and lists - feedback wanted
Hi all, I'm the author of the iXhash plugin, a piece of code that computes a variety of 'fuzzy checksums' along the lines of the NiXSpam project (run by the German IT magazine iX). I also run two DNS zones (nospam.login-solutions.de,nospam.login-solutions.ag), containing fuzzy checksum data from various spam traps. Now, I'll leave my current job where I had the opportunity to run a dedicated server to maintain the lists. I wonder if it it is worth my while to actually migrate to whole stuff (and expand it to contain data from other sources) or to just release a final version of the plugin and call it quits. I guess this list is the best place to ask those of you who use the plugin for feedback. I'd appreciate any comments and information an hit rates, FPs and such Thanks in advance Dirk
Re: Lottery spam in my inbox
Nitin Bhadauria [EMAIL PROTECTED] wrote: How is it possible that these kind of mail are not spam tagged my sapmassassin... Do you train SA's bayes database? Do you use RBL checks? Do you use ClamAV with stock and SaneSecurity signatures? CONGRATULATION YOU HAVE WON 850.000.POUNDS(REPLY TO [EMAIL PROTECTED]) ftp://195.169.149.102/tt/WON.txt The sending MX is listed on several DNSBLs, among them sorbs and ahbl; also caught by ClamAV: Email.ScamL.Gen711.Sanesecurity.08062506. YOUR REF:CLAIMS/ATM/822 . ftp://195.169.149.102/tt/ATM.txt Sending MX is blacklisted on dnsbl-3.uceprotect.net; message also caught by SA: X-Spam-Status: Yes, score=9.0 required=5.0 tests=BAYES_50,HTML_MESSAGE, HTML_MISSING_CTYPE,MISSING_MIME_HB_SEP,MPART_ALT_DIFF,SUBJ_ALL_CAPS autolearn=no version=3.2.5 -- Sahil Tandon [EMAIL PROTECTED]
Re: Sa-update failures? Yerp AND kluge Offline? DOS?
I don't know of any connectivity issues w/ the kluge.net server. There were some ISP issues last month that took it offline for a day or so, but nothing in the last couple of days. On Mon, Aug 04, 2008 at 11:34:22AM +0100, Rob Sharp wrote: There was a message recently posted saying that Yerp was being taken offline for a server move. Rob Michael Scheidell wrote: Didn't think too much of seeing this in every SA box log last night, just thought maybe yerp.org offline. Running 350.sa-update http: request failed: 500 Can't connect to yerp.org:80 (connect: Invalid argument): 500 Can't connect to yerp.org:80 (connect: Invalid argument) channel: could not find working mirror, channel failed http: request failed: 500 Can't connect to yerp.org:80 (connect: Invalid argument): 500 Can't connect to yerp.org:80 (connect: Invalid argument) Tested it, yep, off line: telnet yerp.org 80 Trying 72.232.31.42... telnet: connect to address 72.232.31.42: Connection refused telnet: Unable to connect to remote host But, then saw this in a couple of them and thought this was too weird. Concentrated DOS attack against the saupdate channel servers? http: request failed: 500 Can't connect to spamassassin.kluge.net:80 (connect: timeout): 500 Can't connect to spamassassin.kluge.net:80 (connect: timeout) While looking up information on taint.org, got it offline also. (well, its the same box ;) telnet taint.org 80 Trying 72.232.31.42... telnet: connect to address 72.232.31.42: Connection refused telnet: Unable to connect to remote host Looks fine now, and sa-update -D doesn't show any missing updates available. -- Randomly Selected Tagline: How do I type for i in *.dvi do xdvi i done in a GUI? (Discussion in comp.os.linux.misc on the intuitiveness of interfaces.) pgp6M22hzrzaQ.pgp Description: PGP signature
RE: iXhash plugin and lists - feedback wanted
I'm the author of the iXhash plugin, a piece of code that computes a variety of 'fuzzy checksums' along the lines of the NiXSpam project (run by the German IT magazine iX). I also run two DNS zones (nospam.login-solutions.de,nospam.login-solutions.ag), containing fuzzy checksum data from various spam traps. Now, I'll leave my current job where I had the opportunity to run a dedicated server to maintain the lists. I wonder if it it is worth my while to actually migrate to whole stuff (and expand it to contain data from other sources) or to just release a final version of the plugin and call it quits. I guess this list is the best place to ask those of you who use the plugin for feedback. I'd appreciate any comments and information an hit rates, FPs and such Thanks in advance Dirk Dirk I just started running iXhash about a week ago on a 3.2.5 SA I haven't really had enough time to eval the net effects all the way around. Do you have any extra tools that would help the SA community to eval iXhash in our environments other than what we already have available out there?? - rh
Re: iXhash plugin and lists - feedback wanted
On Monday 04 August 2008 4:13 pm, Dirk Bonengel wrote: Hi all, I'm the author of the iXhash plugin, a piece of code that computes a variety of 'fuzzy checksums' along the lines of the NiXSpam project (run by the German IT magazine iX). I also run two DNS zones (nospam.login-solutions.de,nospam.login-solutions.ag), containing fuzzy checksum data from various spam traps. Now, I'll leave my current job where I had the opportunity to run a dedicated server to maintain the lists. I wonder if it it is worth my while to actually migrate to whole stuff (and expand it to contain data from other sources) or to just release a final version of the plugin and call it quits. I guess this list is the best place to ask those of you who use the plugin for feedback. I'd appreciate any comments and information an hit rates, FPs and such Thanks in advance Dirk Hi Dirk, I've been using it on my home system probably ever since you made it available. Below are hit stats from yesterday: Total: 279 Ham: 122 Spam: 157 iXhash.cf: Rule Name Score Ham Spam %of Ham %of Spam --- LOGINHASH 4.50 30 62 24.59% 39.49% LOGINHASH2 2.50 30 61 24.59% 38.85% IXHASH 2.50 31 66 25.41% 42.04% --- OVERALL 31 66 25.41% 42.04% Though it does hit ham, I don't remember ever seeing any FP's because of it. I'd say expand it, though again, this is just running on a home system with one user, me. Also be aware that the above count is cumulative over period of time (that I'm not really sure of) and not daily. Keep up the good work Chris -- Chris KeyID 0xE372A7DA98E6705C pgpzT4DWLB5wi.pgp Description: PGP signature
Re: iXhash plugin and lists - feedback wanted
On 8/4/08 at 8:42 PM -0500 Chris wrote: Hi Dirk, I've been using it on my home system probably ever since you made it available. Below are hit stats from yesterday: Total: 279 Ham: 122 Spam: 157 iXhash.cf: Rule Name Score Ham Spam %of Ham %of Spam --- LOGINHASH 4.50 30 6224.59% 39.49% LOGINHASH2 2.50 30 6124.59% 38.85% IXHASH 2.50 31 6625.41% 42.04% --- OVERALL 31 6625.41% 42.04% Wow. That doesn't seem right at all. Your setup had the same amount of of FPs in one day as mine has all of this year. I've found this plugin to be quite accurate and invaluable! RULE NAMESPAM HAM %OFSPAM %OFHAM -- LOGINHASH 5965 319.540.02 LOGINHASH25070 198.110.01 IXHASH3188 125.100.01 -- Dirk, Your plugin rocks! I hope you can find a way to continue to maintain your lists! Nedry