FM_FAKE_HELO_VERIZON
I have a user of a mailing list who is sending from a Verizon system, and is being marked as spam. Some is use of HTML etc but * 2.0 BOTNET_CLIENT Relay has a client-like hostname * =20 [botnet_client,ip=206.46.173.1,hostname=vms173001pub.verizon.net, ipinhostname] * 2.6 FM_FAKE_HELO_VERIZON Looks like a fake verizon.net helo. are the two that do not seem to be under control. The mailing list archive seems to be hiding teh headers at present. What exactly do they mean? How can he prevent it? ==John ffitch
sa-learn and different parh
Hi all, my SA version: 3.2.4 when launching this command, I noticed that the files are updated in two different folders. user: root foo:~# sa-learn --sync --spam --mbox /home/foo/spam.mbox /root/.spamassassin/bayes_seen /root/.spamassassin/bayes_toks /home/spamassassin/.spamassassin/auto-whitelist /home/spamassassin/.spamassassin/bayes_journal Why? I don't think it's the right way. My local.cf: rewrite_header Subject SPAM(_SCORE_) report_safe 0 required_score 4.0 ## I've tried to uncomment and re-launch spamd but don't work #bayes_path /etc/mail/spamassassin/bayes #bayes_file_mode 0770 use_bayes 1 bayes_auto_learn 1 bayes_auto_expire 0 bayes_learn_to_journal 1 bayes_journal_max_size 0 -- Massimiliano Marini - http://www.linuxtime.it/massimilianomarini/ It's easier to invent the future than to predict it. -- Alan Kay
Re: FM_FAKE_HELO_VERIZON
jpff wrote: I have a user of a mailing list who is sending from a Verizon system, and is being marked as spam. Some is use of HTML etc but * 2.0 BOTNET_CLIENT Relay has a client-like hostname * =20 [botnet_client,ip=206.46.173.1,hostname=vms173001pub.verizon.net, ipinhostname] botnet belives the hostname is dynamic (probably because of the 173001 part). However, verizon.net SPF record includes 206.46.0.0/16. hmmm... * 2.6 FM_FAKE_HELO_VERIZON Looks like a fake verizon.net helo. yep. happens with Matt Kettler mail! I have opened a bug: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5972 I suggest the following modification header __FHOST_RDNS X-Spam-Relays-Untrusted =~ /^[^\]]+ rdns=[^ ]*[a-z] /i meta FM_FAKE_HELO_VERIZON (__FHELO_VERIZON !__FHOST_VERIZON __FHOST_RDNS) meta FM_FAKE_HELO_HOTMAIL (__HOTMAILCOM !__HOST_HOTMAIL __FHOST_RDNS) now, it would be nice to modify Received.pm to ignore invalid rdns. any opinions? are the two that do not seem to be under control. The mailing list archive seems to be hiding teh headers at present. What exactly do they mean? How can he prevent it?
Re: MagicSpam
At 09:44 12-09-2008, Jesse Stroik wrote: There is SpamAssassin the project and SpamAssassin the software. The project, under the aegis of the Apache Software Foundation, provides a framework to support open source software development to deliver an enterprise-grade, freely available software product for the public benefit. SpamAssassin, the software, is a mail filter to identify spam. It is designed for easy integration into any email system. The cost to develop such a software is estimated to be around US $1.1 million. And many, if not the large majority of commercial systems use it somewhere. A commercial product that does not understand spam, or if their team has not had lots of experience with spam, will make those mistakes. As the maintainer of the freebsd port of Spamassassin, I have to look at any user contributed 'fixes' or scripts to see if they are keeping with the overall SA design, or if they are freebsd only, do they cover, or will they work with ALL freebsd users (commercial systems, hobby, or home grown). As the maintainer, I have rejected several scripts that are mostly site or company specific, reminding the author that SA has to be made generic, and the Freebsd port of SA has to remain generic. I also remind them 'this is open source', you are ENCOURAGED to make custom, site specific changes. That said, as my second role as the CTO of one of the many companies that uses SA, thanks to the team, community, and users for creating a generic, 'one site fits all' system, but, it does need lots of work to make it a viable system to be used by 'users'. Remember users ;-)? If SA is used by YOU, and YOU are totally in charge of what gets whitelisted, blacklisted, etc, then YOU can maintain all the cf files and you can (eventually) get a pretty stable, accurate system. If, however, you are trying to create something easy to set up, and easy for users to use without your constant tweaking, yes, its VERY hard. As much time as our engineers spend on optimizations and minor customer custom requests, I think most of their time is spend trying to balance the spam capture rate and the false positive rate. (you really need a team :-). Examples of problems include ISP's who have clients that actually subscribe to those 'free crap in your email box', vs commercial companies who don't want their users using their email address for 'free porn' and such. Take one of the reputation filters as an example: DCC. DCC is great for identifying sources of BULK EMAIL. The commercial version also lets you get a bulk/non bulk percentage value on the sending IP. The free system allows you to take checksums of the spam and get a 'bulk/non bulk' judgment on the email. Remember, this is BULK EMAIL, not spam. It would trigger FP's on every truly double opt-in mailing list. Bayes: if you are an ISP, and not using user based bayes, then your plastic surgeons will be sending and receiving enlargement type emails that are legit, but that a mortgage company would want to block. HABEAS/SENDERBASE, more examples: for ISP/ generic use, maybe letting in commercial bulk email from companies who pay to certify their bulk email is he right thing to do. For a commercial business, maybe not. However, that said, it is possible to build a commercial system that is easy to install, will (out of the box) be about 99% accurate, allows users and it administrators access to reporting and configs, without creating a burden. (no, we don't allow individuals access to ~user/local.cf files ;-), but we do allow admins to turn on and off specific plugins, and users to set their own spam threshold values. Bottom line: same argument for any commercial vs custom system. A 'drop in place, open source' product isn't a product, its a framework. It will be less accurate, because it wasn't tweaked. A custom product will harder to build, but will be (eventually) what the company needs (for 1.1mm ;-). Also, consider the ongoing need to continue to track spam, new spam types and upgrades. A COTS product should offer good support, enough customizations that it will work for your company. I support SA efforts and will continue to since I understand the value of building and working with an open source community. That is why I volunteer my time to maintain the freebsd SA port. If you are trying to block spam for one server, or one company, and you don't want to spend a large amount of time, get a pre-build, supported product. Not a framework. If however, your needs are so unique that a COTS product won't work, then hire a team, build a custom solution. Your choice. (sorry, off my soap box now) -- Michael Scheidell, CTO |SECNAP Network Security
Re: sa-compile errors
I just installed SpamAssassin 3.2.5 and after doing a sa-update and sa-compile I get the following: Illegal octal digit '8' ignored at /usr/local/bin/sa-compile line 631, $fh line 2436. Wide character in print at /usr/local/bin/sa-compile line 385, $fh line 2436. They compile w/o errors, but this does seem strange... There have been a few updates to re2c. Make sure you have the latest. -- Michael Scheidell, CTO |SECNAP Network Security Winner 2008 Network Products Guide Hot Companies FreeBSD SpamAssassin Ports maintainer
Re: Spamassassin Letting a Lot of Spams Through
On Sunday 14 September 2008 10:06, aladdin wrote: On Sunday 14 September 2008 05:07, you wrote: On Sun, 2008-09-14 at 01:05 -0400, aladdin wrote: So, evidently, it can't find my bayes database. So, since I want to use a system-wide database, where is it (/usr/share/spamassassin?, which has a lot of likely looking files in it), and how do I tell spamd to use it? By default it is in the .spamassassin directory of the user SA runs in. Using /usr/share/spamassin sounds like a bad idea to me: you're attempting to mix site-specific data with system files. Martin Hmmm! Oddly enough, that's where apt (the Debian package manager) put them. So, I guess that leads to two more areas of questions: 1. Is there no precedent for stopping spam using system-wide files? I am almost the sole user of this machine and would like to do this, if it's possibe. Why would apt put them there otherwise? 2. If question one leads to user-specific files directories, do I just take the contents of /usr/share/spamassassin and copy it into ~/.spamassassin? The contents of /usr/share/spamassassin are: ### total 676 drwxr-xr-x 2 root root 4096 2008-09-07 19:24 ./ drwxr-xr-x 256 root root 12288 2008-09-07 19:24 ../ -rw-r--r-- 1 root root 5681 2007-02-15 00:28 10_misc.cf snip -rw-r--r-- 1 root root 18944 2007-02-15 00:28 triplets.txt -rw-r--r-- 1 root root 1843 2007-02-15 00:28 user_prefs.template Are these the files to be copied to ~/.spamassassin? As it turns out, I do have a ~/.spamassassin directory. It's current contents are: # -rw--- 1 anw anw 1306624 2008-09-14 03:38 auto-whitelist -rw--- 1 anw anw 88190 2008-07-28 16:52 bayes_journal -rw--- 1 anw anw 684032 2008-07-28 16:52 bayes_seen -rw--- 1 anw anw 5283840 2008-07-28 16:52 bayes_toks -rw-r--r-- 1 anw anw1487 2008-07-28 16:52 user_prefs # Should I just copy the above into it and change the owner/group, and that's how spamassassin is supposed to work? -- Thanks and regards, anw
Re: FM_FAKE_HELO_VERIZON
On Sun, 2008-09-14 at 14:43 +0200, mouss wrote: verizon.net SPF record includes 206.46.0.0/16. Verizon SPF'd a class-B space?? Please don't tell me that covers part of their dynamic address pool... -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Look at the people at the top of both efforts. Linus Torvalds is a university graduate with a CS degree. Bill Gates is a university dropout who bragged about dumpster-diving and using other peoples' garbage code as the basis for his code. Maybe that has something to do with the difference in quality/security between Linux and Windows. -- anytwofiveelevenis on Y! SCOX --- 3 days until the 221st anniversary of the signing of the U.S. Constitution
RE: Spamassassin Letting a Lot of Spams Through
Hi /usr/share/spamassassin - contains version release time rules, always used unless next dir exists. /var/lib/spamassassin/version/ - contains 'sa-update'ed rules to bring release time rules upto date without needing a full version release /etc/mail/spamassassin - contains site wide rules and settings. ~/.spamassassin contains user specific rules. So copying rules from /usr/share/spamassassin to ~/.spamassassin will achieve nothing. Get the idea now? -- martin -Original Message- From: aladdin [EMAIL PROTECTED] Sent: Sunday, September 14, 2008 3:13 PM To: users@spamassassin.apache.org Subject: Re: Spamassassin Letting a Lot of Spams Through On Sunday 14 September 2008 10:06, aladdin wrote: On Sunday 14 September 2008 05:07, you wrote: On Sun, 2008-09-14 at 01:05 -0400, aladdin wrote: So, evidently, it can't find my bayes database. So, since I want to use a system-wide database, where is it (/usr/share/spamassassin?, which has a lot of likely looking files in it), and how do I tell spamd to use it? By default it is in the .spamassassin directory of the user SA runs in. Using /usr/share/spamassin sounds like a bad idea to me: you're attempting to mix site-specific data with system files. Martin Hmmm! Oddly enough, that's where apt (the Debian package manager) put them. So, I guess that leads to two more areas of questions: 1. Is there no precedent for stopping spam using system-wide files? I am almost the sole user of this machine and would like to do this, if it's possibe. Why would apt put them there otherwise? 2. If question one leads to user-specific files directories, do I just take the contents of /usr/share/spamassassin and copy it into ~/.spamassassin? The contents of /usr/share/spamassassin are: ### total 676 drwxr-xr-x 2 root root 4096 2008-09-07 19:24 ./ drwxr-xr-x 256 root root 12288 2008-09-07 19:24 ../ -rw-r--r-- 1 root root 5681 2007-02-15 00:28 10_misc.cf snip -rw-r--r-- 1 root root 18944 2007-02-15 00:28 triplets.txt -rw-r--r-- 1 root root 1843 2007-02-15 00:28 user_prefs.template Are these the files to be copied to ~/.spamassassin? As it turns out, I do have a ~/.spamassassin directory. It's current contents are: # -rw--- 1 anw anw 1306624 2008-09-14 03:38 auto-whitelist -rw--- 1 anw anw 88190 2008-07-28 16:52 bayes_journal -rw--- 1 anw anw 684032 2008-07-28 16:52 bayes_seen -rw--- 1 anw anw 5283840 2008-07-28 16:52 bayes_toks -rw-r--r-- 1 anw anw1487 2008-07-28 16:52 user_prefs # Should I just copy the above into it and change the owner/group, and that's how spamassassin is supposed to work? -- Thanks and regards, anw ** Confidentiality : This e-mail and any attachments are intended for the addressee only and may be confidential. If they come to you in error you must take no action based on them, nor must you copy or show them to anyone. Please advise the sender by replying to this e-mail immediately and then delete the original from your computer. Opinion : Any opinions expressed in this e-mail are entirely those of the author and unless specifically stated to the contrary, are not necessarily those of the author's employer. Security Warning : Internet e-mail is not necessarily a secure communications medium and can be subject to data corruption. We advise that you consider this fact when e-mailing us. Viruses : We have taken steps to ensure that this e-mail and any attachments are free from known viruses but in keeping with good computing practice, you should ensure that they are virus free. Red Lion 49 Ltd T/A Solid State Logic Registered as a limited company in England and Wales (Company No:5362730) Registered Office: 25 Spring Hill Road, Begbroke, Oxford OX5 1RU, United Kingdom **
Re: FM_FAKE_HELO_VERIZON
John Hardin wrote: On Sun, 2008-09-14 at 14:43 +0200, mouss wrote: verizon.net SPF record includes 206.46.0.0/16. Verizon SPF'd a class-B space?? Please don't tell me that covers part of their dynamic address pool... If they block port 25 except for responsible users, I have no problem with that. Maybe some people (Matt?) know more?
Re: access to binary attachments from $PerMsgStatus ?
Christian Recktenwald wrote: The stucture I get from the method argv using the code below lacks contents using the MIME type application/octet-stream - at least. [...] for my $i (@{$msg-{body_parts}}) { Have you tried using the find_parts method? see perldoc Mail::SpamAssassin::Message::Node Regards /Jonas -- Jonas Eckerman, FSDB Fruktträdet http://whatever.frukt.org/ http://www.fsdb.org/ http://www.frukt.org/
sa-learn
Dear all, after running sa-learn -D --spam --mbox /var/mail/spam Do I have to save the mails in /var/mail/spam or can I delete them? -- Regards Lars Ebeling http://leopg9.no-ip.org Hobbithobbyist I am not young enough to know everything. -- Oscar Wilde
Re: sa-learn
Lars Ebeling wrote: Dear all, after running sa-learn -D --spam --mbox /var/mail/spam Do I have to save the mails in /var/mail/spam or can I delete them? You can delete them. The only time you'd need them is if you wanted to feed them to sa-learn again (ie: if you decide to wipe your bayes and start over, or if you find you mis-trained a message and want to re-train it properly).
RE: MagicSpam
Hello, I really don't see how Spamassassin is not up to par, considering many high end Net App's use Spamassassin and promote corporate level products that include it. Maybe it needs to be configured correctly? In fact, I don't think I've seen any real rival to Spamassassin - except, maybe, for DSPAM (but I've never used it) - And I don't see how that is going to be any easier to drive than Spamassassin. The only good Spam tagging applications for Windows all seem to have Spamassassin inside them somewhere. None of my users know how to use Spamassassin, in fact, none of my co-workers do either. I wouldn't even pretend to try and get them to do anything to it, apart from send Missed Spam back for Bayes training. If it is other Admins you're giving the product to, and they don't/can't understand it, then they shouldn't be running it. no clue how to use it and what it's designed to do - sounds like they need some education, these naïve people that you give Spamassassin to. Cheers, Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, 12 September 2008 5:12 a.m. To: users@spamassassin.apache.org Subject: MagicSpam Does anybody have any experience with this product? My company wants to replace SpamAssassin with this product, due to SpamAssassin being not being up to par other products. My argument is that people we give SpamAssassin to have no clue how to use it and what it's designed to do, therefore they think it sucks.
Re: FM_FAKE_HELO_VERIZON
On Sunday 14 September 2008, mouss wrote: John Hardin wrote: On Sun, 2008-09-14 at 14:43 +0200, mouss wrote: verizon.net SPF record includes 206.46.0.0/16. Verizon SPF'd a class-B space?? Please don't tell me that covers part of their dynamic address pool... If they block port 25 except for responsible users, I have no problem with that. Maybe some people (Matt?) know more? I sure would have a problem with that. Its bad enough I have to run my web server by natting port 85 to 80 cuz vz blocks port 80 so you'll build your web pages with their service they they can load up with commercials. I pull from 3 different mail servers cuz vz has some pretty weird ideas about what is good mail and what is spam, they have blocked lkml, the busiest list in linuxdom as that much traffic has to be spam. I can also post through all three of the servers I suck from, and if they start blocking 25 that isn't addressed to their server, my first email will be to the FCC demanding they lose their common carrier status. -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Work is the crab grass in the lawn of life. -- Schulz
Re: FM_FAKE_HELO_VERIZON
Gene Heskett wrote: On Sunday 14 September 2008, mouss wrote: John Hardin wrote: On Sun, 2008-09-14 at 14:43 +0200, mouss wrote: verizon.net SPF record includes 206.46.0.0/16. Verizon SPF'd a class-B space?? Please don't tell me that covers part of their dynamic address pool... If they block port 25 except for responsible users, I have no problem with that. Maybe some people (Matt?) know more? I sure would have a problem with that. Its bad enough I have to run my web server by natting port 85 to 80 cuz vz blocks port 80 so you'll build your web pages with their service they they can load up with commercials. I pull from 3 different mail servers cuz vz has some pretty weird ideas about what is good mail and what is spam, they have blocked lkml, the busiest list in linuxdom as that much traffic has to be spam. I can also post through all three of the servers I suck from, and if they start blocking 25 that isn't addressed to their server, my first email will be to the FCC demanding they lose their common carrier status. When we say an ISP blocks outbound port 25, we mean they force passing via their relay. or if you prefer, they block TCP packets where the foreign port is 25 (if dest IP is external, dest port must not be 25. and if source port is external, source port must not be 25). This doesn't limit the recipients of their mail to the ISP customers. nor should this limit the sender to the ISP domain (some ISPs are known to limit to N declared sender domains though).
Re: FM_FAKE_HELO_VERIZON
On Sunday 14 September 2008, mouss wrote: Gene Heskett wrote: On Sunday 14 September 2008, mouss wrote: John Hardin wrote: On Sun, 2008-09-14 at 14:43 +0200, mouss wrote: verizon.net SPF record includes 206.46.0.0/16. Verizon SPF'd a class-B space?? Please don't tell me that covers part of their dynamic address pool... If they block port 25 except for responsible users, I have no problem with that. Maybe some people (Matt?) know more? I sure would have a problem with that. Its bad enough I have to run my web server by natting port 85 to 80 cuz vz blocks port 80 so you'll build your web pages with their service they they can load up with commercials. I pull from 3 different mail servers cuz vz has some pretty weird ideas about what is good mail and what is spam, they have blocked lkml, the busiest list in linuxdom as that much traffic has to be spam. I can also post through all three of the servers I suck from, and if they start blocking 25 that isn't addressed to their server, my first email will be to the FCC demanding they lose their common carrier status. When we say an ISP blocks outbound port 25, we mean they force passing via their relay. or if you prefer, they block TCP packets where the foreign port is 25 (if dest IP is external, dest port must not be 25. and if source port is external, source port must not be 25). Yes, same definition I'm using. This doesn't limit the recipients of their mail to the ISP customers. nor should this limit the sender to the ISP domain (some ISPs are known to limit to N declared sender domains though). No, but they use it as I stated, to make you put your web visible stuff on their servers, where they can surround it with their commercials. So they block port 80 going out to their customers. Silently, and they deny at at tech support to their last breath. Like comcast, to do so and lose the common carrier status, would cost them millions. Tain't gonna happen as long as Bushco is naming commissioners. That said, I have relatively little faith that the commission would act, there are far too many commercial folks all too willing to treat the commissioners to whatever they might indicate they need. And as in any other enterprise, its only illegal if you get caught. The catchers unforch are busy. And so it goes... -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) Disclaimer: These opinions are my own, though for a small fee they be yours too. -- Dave Haynie
Re: Spamassassin Letting a Lot of Spams Through
Yeah, I'm strugglin'! I'm new to spamassassin, and don't know what rbl's and uri-rbl's are, and, if you've had a chance to see further emails, my sa-update is broken. When you get to your system, I'd appreciate any further insight you may have. Thanks! On Sunday 14 September 2008 16:21, Martin.Hepworth wrote: Well you normally need to add in extra rules from rulesemporium.com also. 3.1.7 is ages old (there's surprise for a debian port!) and gting sa-update will help also. I'd check your running rbl's and uri-rbls (check you've got dns checks set and running ok). If you struggle I'll get more info on this when i've better access to my system than a windows mobile pda! As for bayes, force the bayes to a globally writable dir, as right now only root can access it! -- martin -Original Message- From: aladdin [EMAIL PROTECTED] Sent: Sunday, September 14, 2008 6:35 PM To: users@spamassassin.apache.org Subject: Re: Spamassassin Letting a Lot of Spams Through Thanks, Martin, for the reply. Well, I guess I get the idea; what that doesn't explain now is why my spam scores (on what one would think is really obvious spam) are so low and why the log says it can't find the bayes database. On Sunday 14 September 2008 12:01, Martin.Hepworth wrote: Hi /usr/share/spamassassin - contains version release time rules, always used unless next dir exists. /var/lib/spamassassin/version/ - contains 'sa-update'ed rules to bring release time rules upto date without needing a full version release /etc/mail/spamassassin - contains site wide rules and settings. ~/.spamassassin contains user specific rules. So copying rules from /usr/share/spamassassin to ~/.spamassassin will achieve nothing. Get the idea now? -- martin -Original Message- From: aladdin [EMAIL PROTECTED] Sent: Sunday, September 14, 2008 3:13 PM To: users@spamassassin.apache.org Subject: Re: Spamassassin Letting a Lot of Spams Through On Sunday 14 September 2008 10:06, aladdin wrote: On Sunday 14 September 2008 05:07, you wrote: On Sun, 2008-09-14 at 01:05 -0400, aladdin wrote: So, evidently, it can't find my bayes database. So, since I want to use a system-wide database, where is it (/usr/share/spamassassin?, which has a lot of likely looking files in it), and how do I tell spamd to use it? By default it is in the .spamassassin directory of the user SA runs in. Using /usr/share/spamassin sounds like a bad idea to me: you're attempting to mix site-specific data with system files. Martin Hmmm! Oddly enough, that's where apt (the Debian package manager) put them. So, I guess that leads to two more areas of questions: 1. Is there no precedent for stopping spam using system-wide files? I am almost the sole user of this machine and would like to do this, if it's possibe. Why would apt put them there otherwise? 2. If question one leads to user-specific files directories, do I just take the contents of /usr/share/spamassassin and copy it into ~/.spamassassin? The contents of /usr/share/spamassassin are: ### total 676 drwxr-xr-x 2 root root 4096 2008-09-07 19:24 ./ drwxr-xr-x 256 root root 12288 2008-09-07 19:24 ../ -rw-r--r-- 1 root root 5681 2007-02-15 00:28 10_misc.cf snip -rw-r--r-- 1 root root 18944 2007-02-15 00:28 triplets.txt -rw-r--r-- 1 root root 1843 2007-02-15 00:28 user_prefs.template Are these the files to be copied to ~/.spamassassin? As it turns out, I do have a ~/.spamassassin directory. It's current contents are: # -rw--- 1 anw anw 1306624 2008-09-14 03:38 auto-whitelist -rw--- 1 anw anw 88190 2008-07-28 16:52 bayes_journal -rw--- 1 anw anw 684032 2008-07-28 16:52 bayes_seen -rw--- 1 anw anw 5283840 2008-07-28 16:52 bayes_toks -rw-r--r-- 1 anw anw1487 2008-07-28 16:52 user_prefs # Should I just copy the above into it and change the owner/group, and that's how spamassassin is supposed to work? -- Thanks and regards, Allen Williams Office: +1.321.309.7931 Mobile: +1.321.258.1272
Re: FM_FAKE_HELO_VERIZON
At 03:33 14-09-2008, jpff wrote: I have a user of a mailing list who is sending from a Verizon system, and is being marked as spam. Some is use of HTML etc but * 2.0 BOTNET_CLIENT Relay has a client-like hostname * =20 [botnet_client,ip=206.46.173.1,hostname=vms173001pub.verizon.net, ipinhostname] * 2.6 FM_FAKE_HELO_VERIZON Looks like a fake verizon.net helo. are the two that do not seem to be under control. The mailing list archive seems to be hiding teh headers at present. The first rule is not a SpamAssassin (project) rule. It incorrectly detects the hostname as a botnet client. A bug reported has been posted for the second rule. Regards, -sm