SARE Update: 90_2tld.cf
http://www.rulesemporium.com/rules/90_2tld.cf have a good weekend
Re: Phishing rules?
Randy <[EMAIL PROTECTED]> writes: > Micah Anderson wrote: >> Sadly, I do not have an example I can share at the moment, as I >> typically delete them in a rage after training my bayes filter on >> them. However, I am looking for any suggestions of other things I can >> turn on... in particular, are there rules that people have created that >> look for certain keywords where the body is asking for your >> account/password information? >> > Report these and maybe they will add something that catches them. If > one wanted to, they can get any mail the want through your filters if > they are good and don't use things that trigger the rules. Report them where exactly? Here is an example one I received recently, note the hideously low bayes score on this one, caused it to autolearn as ham even, grr. >From [EMAIL PROTECTED] Fri Oct 31 20:00:45 2008 Return-Path: <[EMAIL PROTECTED]> X-OfflineIMAP-x792266711-4c6f63616c-494e424f58: 1225549253-0134941395044-v6.0.3 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on spamd2.riseup.net X-Spam-Level: X-Spam-Status: No, score=-3.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW autolearn=ham version=3.2.5 Delivered-To: [EMAIL PROTECTED] Received: from mx1.riseup.net (unknown [10.8.0.3]) by cormorant.riseup.net (Postfix) with ESMTP id 58BFA19581F7 for <[EMAIL PROTECTED]>; Fri, 31 Oct 2008 20:00:40 -0700 (PDT) Received: from master.debian.org (master.debian.org [70.103.162.29]) by mx1.riseup.net (Postfix) with ESMTP id AA4465701D1 for <[EMAIL PROTECTED]>; Fri, 31 Oct 2008 20:00:39 -0700 (PDT) Received: from cat.cybersurf.net ([209.197.145.185] helo=cat.cia.com) by master.debian.org with esmtp (Exim 4.63) (envelope-from <[EMAIL PROTECTED]>) id 1Kw6j8-0003iT-Ix for [EMAIL PROTECTED]; Sat, 01 Nov 2008 03:00:38 + Received: from reef.cybersurf.com ([209.197.145.198]) by cat.cia.com with esmtp (Exim 4.50) id 1Kw6iz-0002Li-Pg; Fri, 31 Oct 2008 21:00:29 -0600 Received: from apache by reef.cybersurf.com with local (Exim 4.44) id 1Kw6j0-0006W5-UJ; Fri, 31 Oct 2008 20:00:30 -0700 Received: from 196-207-0-227.netcomng.com (196-207-0-227.netcomng.com [196.207.0.227]) by webmail.3web.com (IMP) with HTTP for <[EMAIL PROTECTED]>; Sat, 1 Nov 2008 14:00:30 +1100 Message-ID: <[EMAIL PROTECTED]> Date: Sat, 1 Nov 2008 14:00:30 +1100 From: WEBMAIL Help Desk <[EMAIL PROTECTED]> Reply-to: [EMAIL PROTECTED] Subject: WEBMAIL Help Desk MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.2.1 X-Originating-IP: 196.207.0.227 To: undisclosed-recipients:; X-Virus-Scanned: ClamAV 0.94/8552/Fri Oct 31 18:14:36 2008 on mx1.riseup.net X-Virus-Status: Clean Status: RO Content-Length: 1427 Lines: 38 Dear Webmail User, This message was sent automatically by a program on Webmail which periodically checks the size of inboxes, where new messages are received. The program is run weekly to ensure no one's inbox grows too large. If your inbox becomes too large, you will be unable to receive new email. Just before this message was sent, you had 18 Megabytes (MB) or more of messages stored in your inbox on your Webmail. To help us re-set your SPACE on our database prior to maintain your INBOX, you must reply to this e-mail and enter your Current User name () and Password( ). You will continue to receive this warning message periodically if your inbox size continues to be between 18 and 20 MB. If your inbox size grows to 20 MB, then a program on Bates Webmai will move your oldest email to a folder in your home directory to ensure that you will continue to be able to receive incoming email. You will be notified by email that this has taken place. If your inbox grows to 25 MB, you will be unable to receive new email as it will be returned to the sender. After you read a message, it is best to REPLY and SAVE it to another folder. Thank you for your cooperation. WEBMAIL Help Desk --- 3webXS HiSpeed Dial-up...surf up to 5x faster than regular dial-up alone... just $14.90/mo...visit www.get3web.com for details
Re: Phishing rules?
Karsten Bräckelmann <[EMAIL PROTECTED]> writes: > On Thu, 2008-10-30 at 15:56 -0400, Micah Anderson wrote: >> I keep getting hit by phishing attacks, and they aren't being stopped by >> anything I've thrown up in front of them: >> >> postfix is doing: >> reject_rbl_client b.barracudacentral.org, >> reject_rbl_client zen.spamhaus.org, >> reject_rbl_client list.dsbl.org, >> >> I've got clamav pulling signatures updated once a day from sanesecurity >> (phishing, spam, junk, rogue), SecuriteInfo (honeynet, vx, >> securesiteinfo) and Malware Black List, MSRBL (images, spam). > > I'd increase this, at least for the SaneSecurity phish sigs. They are > being updated much more frequently. Thanks for the pointer. For some reason I thought I had read on the SaneSecurity site that you shouldn't pull more than once a day, but now after you mentioned it I went and read again and they ask you dont pull more frequently than once an hour... so I've changed that cronjob, that should help. >> I've got spamassassin 3.2.5 with URIBL plugin loaded (which I understand >> pulls in the 25_uribl.cf automatically, right? Or do I need to configure > > Yes, unless you disable network tests in general. Should be easy to > answer yourself if they are working, just by grepping for the rule names > defined in 25_uribl.cf. Network tests aren't disabled, and yeah I am seeing those rules occur in some of my headers of mail that I can search through, so I think that they are working. I've increased my overall URIBL scoring to 2.5 from the default. >> Sadly, I do not have an example I can share at the moment, as I >> typically delete them in a rage after training my bayes filter on >> them. However, I am looking for any suggestions of other things I can >> turn on... in particular, are there rules that people have created that >> look for certain keywords where the body is asking for your >> account/password information? > > So you've pretty much thrown everything at it you could find... ;) And > they are still slipping through? How many are we talking here? Compared > to the total number of spam / phish? > > Also, how many are being caught? Strikes me as odd that you don't have a > sample but yet sound like every single one is slipping by. These are hard for me to answer as I am not doing any analysis of how many are caught. In the last week, I've gotten four of them through, and I've received reports from a number of users that they too have received them. I've just sent a sample to the list however. > I guess, I would start verifying that all the above actually is working. > Most notably the SaneSecurity phish sigs. ClamAV should catch the lions > share, by far, assuming it comes before SA in your chain. Yeah, I'm using the clamav-milter, so those get rejected really early on. Thanks for the ideas, Micah
Re: Phishing rules?
Joseph Brennan <[EMAIL PROTECTED]> writes: > Micah Anderson <[EMAIL PROTECTED]> wrote: > >> I keep getting hit by phishing attacks, and they aren't being stopped by >> anything I've thrown up in front of them: > > Do you mean attempts to get your users to send their passwords, > or fake mail pretending to be from banks? I mean attempts to get my users to send their passwords, are these not called phishing? micah
Re: Phishing rules?
Brent Clark <[EMAIL PROTECTED]> writes: > Hiya > > See SA examples > > http://wiki.junkemailfilter.com/index.php/Spam_DNS_Lists > > Also add hostkarma.junkemailfilter.com to you DNSBL. Thanks, I'll add this to my local.cf and see how it goes. > Another thing I do find is useful is adding additional higher valued > MX records. > > http://www.junkemailfilter.com/spam/support.html I dont really like the idea of adding some other site's MX to my DNS, so I think I'll pass on this one. thanks for the suggestions! micah
Re: Phishing rules?
At 07:56 01-11-2008, Micah Anderson wrote: Here is an example one I received recently, note the hideously low bayes score on this one, caused it to autolearn as ham even, grr. [snip] X-Spam-Status: No, score=-3.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW autolearn=ham version=3.2.5 The sender is whitelisted by www.dnswl.org. Received: from master.debian.org (master.debian.org [70.103.162.29]) by mx1.riseup.net (Postfix) with ESMTP id AA4465701D1 for <[EMAIL PROTECTED]>; Fri, 31 Oct 2008 20:00:39 -0700 (PDT) The mail is coming through debian.org. Do you want to blacklist that host? Regards, -sm
Re: Phishing rules?
Reply-to: [EMAIL PROTECTED] First pass: header LOCAL_REPLYTO_LIVE Reply-to =~ /[EMAIL PROTECTED]/ score LOCAL_REPLYTO_LIVE8.0 Maybe scoring 8.0 for one thing scares you, but I haven't seen this fp in a couple of months. Joseph Brennan Columbia University Information Technology
Re: Phishing rules?
Micah Anderson <[EMAIL PROTECTED]> wrote:
I mean attempts to get my users to send their passwords, are these not
called phishing?
micah
Yes, it's phishing, but for thos you might want to make local rules to
catch things specific to your own web mail system and domain.
I find myself reluctant to publish all the patterns we check, in case
someone is watching, but taking your sample, these would match here:
/Dear .{0,12}(web ?mail|columbia\.edu)/i
/Password.{0,10}\([\s\.\*\_]+\)/
/you must reply to this email/i
Reply-to =~ /[EMAIL PROTECTED]/
The first of course is partly local to us. Another useful local rule
is to check for the uri of your own webmail.
Joseph Brennan
Lead Email Systems Engineer
Columbia University Information Technology
Casino scams
I've started to see Casino spam in the last week and noticed, that of the five examples I captured, only one was hit by the FM_VEGAS_CASINO rule, which appears to be too narrowly targeted on Las Vegas casinos I've written a rule running that hits all five example messages and none of the other 59 messages on my rogues gallery. If this is of interest to the rest of the SA community, kindly let me know how new rule suggestions should be submitted. Martin
Re: Phishing rules?
On Sat, 2008-11-01 at 11:30 -0400, Micah Anderson wrote:
> Joseph Brennan <[EMAIL PROTECTED]> writes:
> > Do you mean attempts to get your users to send their passwords,
> > or fake mail pretending to be from banks?
>
> I mean attempts to get my users to send their passwords, are these not
> called phishing?
An important bit of information, missing from the OP. :) Targeted
attacks at your users, so the general phishing BLs don't really apply.
Anyway, can't you educate your users, that
(a) Any administrative email will be sent from an official, well known,
internal address? That means *not* an arbitrary address. Yes, sorry,
the obvious...
(b) They will *never* ever be asked for a password by mail. Period.
Again, obvious...
Then block internal / administrative From addresses coming from any
external SMTP.
This is not a technical way to stopping these, but an educational
approach to prevent the most dumb and gross social engineering. At least
the second one actually should be well-known, and I've seen ISPs
pointing it out frequently...
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Casino scams
Please do not hi-jack threads. Compose a new email rather than hitting
Reply. Changing the subject does not make it a new thread.
Well, at least it's related. ;)
On Sat, 2008-11-01 at 17:00 +, Martin Gregorie wrote:
> I've started to see Casino spam in the last week and noticed, that of
> the five examples I captured, only one was hit by the FM_VEGAS_CASINO
> rule, which appears to be too narrowly targeted on Las Vegas casinos
These are actually malware spreading mail. ClamAV plus its third-party
SaneSecurity phish sigs do stop almost all of those quite nicely.
Also, various URI BLs should include the URIs rather early. Are you
perhaps missing some of these in your SA setup? Maybe put some examples
up a pastebin and send the link here.
> I've written a rule running that hits all five example messages and none
> of the other 59 messages on my rogues gallery. If this is of interest to
> the rest of the SA community, kindly let me know how new rule
> suggestions should be submitted.
If you're feeling confident about the rule, you can open a new bug.
However, you always can simply post it here for discussion and a broader
peer-review first in either case.
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Casino scams
On Sat, 2008-11-01 at 18:20 +0100, Karsten Bräckelmann wrote: > Also, various URI BLs should include the URIs rather early. Are you > perhaps missing some of these in your SA setup? Maybe put some examples > up a pastebin and send the link here. > I'm running the standard SA setup without any additional rulesets apart from private ones I've written for amusement and self-education. I have blacklist interrogation enabled. > If you're feeling confident about the rule, you can open a new bug. > However, you always can simply post it here for discussion and a broader > peer-review first in either case. > Here's the rule with spaces removed from the meta-rule to prevent it line-wrapping. Unfortunately, the 4th sub-rule has wrapped and there's not a lot I can do about that. describe MG_CASINO Casino gambling body __MG_CAS1 /(csnaio|casino)/i header __MG_CAS2 Subject =~ /casino/i header __MG_CAS3 From =~ /casino/i body __MG_CAS4 /(\$[0-9]+|[0-9]+ *euro|gold|real deal| invite.*play)/i meta MG_CASINO ((__MG_CAS1||__MG_CAS2||__MG_CAS3)&&__MG_CAS4) scoreMG_CASINO 2.0 and here's one of the messages I mentioned: http://pastebin.com/m1de987d0 Martin
Rather OT: Perl advice sought
I hope this isn't too OT for this list, but here goes: I've just copied and hacked the SentOutDB plugin and its associated rule to make a plugin for a private whitelist. The plugin queries a view of my PostgreSQL-based mail archive. This whitelists anybody that mail has been sent to. The plugin and whitelisting are working reliably but writing the plugin reminded me that my knowledge of Perl is out of date. I learnt it in the latter days of Perl 4, i.e. before the OO extensions, and haven't used it since. I learnt from the O'Reilly Camel book, Programming Perl, which I still have and like. Now I need a refresher, so if anybody can recommend a suitable book I'd be grateful. Would the latest edition of Programming Perl be a good choice? Martin
Re: Phishing rules?
Karsten Bräckelmann <[EMAIL PROTECTED]> wrote: Anyway, can't you educate your users Experience tells me the answer is no, or at least a qualified no. And we're supposed to have smart people here. I suppose the number of responses might be even higher if we did not try to educate people. I'll try to comfort myself with that. Joseph Brennan Lead Email Systems Engineer Columbia University Information Technology
Re: Casino scams
On Sat, 2008-11-01 at 19:54 +, Martin Gregorie wrote:
> On Sat, 2008-11-01 at 18:20 +0100, Karsten Bräckelmann wrote:
>
> > Also, various URI BLs should include the URIs rather early. Are you
> > perhaps missing some of these in your SA setup? Maybe put some examples
> > up a pastebin and send the link here.
>
> I'm running the standard SA setup without any additional rulesets apart
> from private ones I've written for amusement and self-education. I have
> blacklist interrogation enabled.
>
> > If you're feeling confident about the rule, you can open a new bug.
> > However, you always can simply post it here for discussion and a broader
> > peer-review first in either case.
> >
> Here's the rule with spaces removed from the meta-rule to prevent it
> line-wrapping. Unfortunately, the 4th sub-rule has wrapped and there's
> not a lot I can do about that.
Yes, there is. Your MUA, Evolution, features pre-formatted paragraphs in
the Composer. But I don't feel like repeating myself today.
> describe MG_CASINO Casino gambling
> body __MG_CAS1 /(csnaio|casino)/i
> header __MG_CAS2 Subject =~ /casino/i
> header __MG_CAS3 From =~ /casino/i
> body __MG_CAS4 /(\$[0-9]+|[0-9]+ *euro|gold|real deal|invite.*play)/i
> meta MG_CASINO ((__MG_CAS1||__MG_CAS2||__MG_CAS3)&&__MG_CAS4)
> scoreMG_CASINO 2.0
Hmm, it might be worth for local rules, to score at least a few of
them on sight with a low score, yet keeping them in the meta. (Yes,
single word rules are generally bad, but scoring a From header that
contains specific words might help catch these.) I'd enforce word
breaks, though.
> and here's one of the messages I mentioned:
>
> http://pastebin.com/m1de987d0
X-Spam-Status: No, score=5.2 required=6.0 tests=HTML_MESSAGE,MIME_HTML_ONLY,
RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE
This one would have been flagged as spam when using the default
required_score spam threshold of 5.0. Also, I notice you're apparently
not using Bayes, which likely could raise the score above your 6.0
threshold, when trained on these.
On my check the sample also scored 0.8 for SPF_HELO_SOFTFAIL. Plus
Pyzor, which is not enabled by default unless you install Pyzor.
URIBL_BLACK as well as SURBL JP and OB triggered for me. These might
very well be updated *after* you received that mail, but it won't hurt
to check, if they are working for you at all.
Oh, and then I got a custom rule worth 0.5 for any single Relay, direct
client to MX mail.
HTH
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Casino scams
On Sat, Nov 01, 2008 at 11:19:44PM +0100, Karsten Bräckelmann wrote: > On Sat, 2008-11-01 at 19:54 +, Martin Gregorie wrote: > > On Sat, 2008-11-01 at 18:20 +0100, Karsten Bräckelmann wrote: > ..snip.. > > > and here's one of the messages I mentioned: > > > > http://pastebin.com/m1de987d0 > > X-Spam-Status: No, score=5.2 required=6.0 tests=HTML_MESSAGE,MIME_HTML_ONLY, > RCVD_IN_PBL,RCVD_IN_XBL,RDNS_NONE > > This one would have been flagged as spam when using the default > required_score spam threshold of 5.0. Also, I notice you're apparently > not using Bayes, which likely could raise the score above your 6.0 > threshold, when trained on these. > > On my check the sample also scored 0.8 for SPF_HELO_SOFTFAIL. Plus > Pyzor, which is not enabled by default unless you install Pyzor. > > URIBL_BLACK as well as SURBL JP and OB triggered for me. These might > very well be updated *after* you received that mail, but it won't hurt > to check, if they are working for you at all. > > Oh, and then I got a custom rule worth 0.5 for any single Relay, direct > client to MX mail. And for me it scored 13 (and that was despite bayes_00 scoring at -2.6! - I guess I haven't been blessed with any of these myself:). A large part of that score was from the Botnet plugin. It might be worth looking into that... HTH Mark pgpvpAbX4HgEX.pgp Description: PGP signature
Re: Casino scams
On Sat, 2008-11-01 at 23:19 +0100, Karsten Bräckelmann wrote: > Yes, there is. Your MUA, Evolution, features pre-formatted paragraphs in > the Composer. But I don't feel like repeating myself today. > True enough. It usually merely annoys me when replying to messages sent some, probably MS, MUA that sends paragraphs as one long line. Its not identifying itself, but it uses a message id of [EMAIL PROTECTED] which should be rather distinctive. I must remember to use it selectively to prevent line wrapping. > > describe MG_CASINO Casino gambling > > body __MG_CAS1 /(csnaio|casino)/i > > header __MG_CAS2 Subject =~ /casino/i > > header __MG_CAS3 From =~ /casino/i > > body __MG_CAS4 /(\$[0-9]+|[0-9]+ *euro|gold|real deal|invite.*play)/i > > meta MG_CASINO ((__MG_CAS1||__MG_CAS2||__MG_CAS3)&&__MG_CAS4) > > scoreMG_CASINO 2.0 > > Hmm, it might be worth for local rules, to score at least a few of > them on sight with a low score, yet keeping them in the meta. (Yes, > single word rules are generally bad, but scoring a From header that > contains specific words might help catch these.) I'd enforce word > breaks, though. > ...and reduce the meta score to compensate? Has the Perl regex syntax changed since Perl4? If it has I think I need to get another Perl book before venturing away from the simple subset I'm comfortable with. > This one would have been flagged as spam when using the default > required_score spam threshold of 5.0. > I'm thinking about reducing that back to the default. I initially set it higher while finding out how to use SA. > Also, I notice you're apparently > not using Bayes, which likely could raise the score above your 6.0 > threshold, when trained on these. > Not entirely. Its enabled but I'm only using auto-learn with default thresholds. However its probably not doing much at present because I recently reset it by deleting the bayes database. > On my check the sample also scored 0.8 for SPF_HELO_SOFTFAIL. Plus > Pyzor, which is not enabled by default unless you install Pyzor. > Noted. > URIBL_BLACK as well as SURBL JP and OB triggered for me. These might > very well be updated *after* you received that mail, but it won't hurt > to check, if they are working for you at all. > Yes, they are now scoring here too. > Oh, and then I got a custom rule worth 0.5 for any single Relay, direct > client to MX mail. > Nope, I'm not seeing that one. Thanks for your input. Martin
Re: Casino scams
On Sat, 2008-11-01 at 22:54 +, Martin Gregorie wrote:
> On Sat, 2008-11-01 at 23:19 +0100, Karsten Bräckelmann wrote:
>
> > Yes, there is. Your MUA, Evolution, features pre-formatted paragraphs in
> > the Composer. But I don't feel like repeating myself today.
>
> [...] I must remember to use it selectively to prevent line wrapping.
It's most handy for code snippets, config and logs slightly exceeding
the default line-wrapping width. But I digress...
> > > describe MG_CASINO Casino gambling
> > > body __MG_CAS1 /(csnaio|casino)/i
> > > header __MG_CAS2 Subject =~ /casino/i
> > > header __MG_CAS3 From =~ /casino/i
> > > body __MG_CAS4 /(\$[0-9]+|[0-9]+ *euro|gold|real deal|invite.*play)/i
> > > meta MG_CASINO ((__MG_CAS1||__MG_CAS2||__MG_CAS3)&&__MG_CAS4)
> > > scoreMG_CASINO 2.0
> >
> > Hmm, it might be worth for local rules, to score at least a few of
> > them on sight with a low score, yet keeping them in the meta. (Yes,
> > single word rules are generally bad, but scoring a From header that
> > contains specific words might help catch these.) I'd enforce word
> > breaks, though.
>
> ...and reduce the meta score to compensate?
Well, that's up to you. ;) The score is rather arbitrary, so you can
use whatever you feel comfortable with.
Reducing the meta score to compensate indeed might be good. My thought
was, to partially split up the score in case the meta doesn't match. I
guess the word "casino" in either the Subject or (even stronger) From
header might be worth at least 0.2 or something on its own.
One note I missed earlier, regarding the quantifiers: Using unbounded
quantifiers can and will be expensive. Wherever possible you should use
bounds. So, rather than /.*/, using /.{0,20}/ with a suitable upper
bound will prevent the RE from backtracking an entire mail. Similar for
any occurrence of the + quantifier, of course.
> Has the Perl regex syntax changed since Perl4? If it has I think I need
> to get another Perl book before venturing away from the simple subset
> I'm comfortable with.
Yes, it did change -- not positive about Perl 4, but I guess it's mostly
additions only to the RE syntax. In particular a "simple subset" likely
should still be valid.
You can find more info than you ever want here:
http://perldoc.perl.org/perlre.html
Assuming this was due to recommending word boundaries (see Regular
Expressions / Assertions in perlre), here's a rewritten From matching
rule:
header __MG_CAS3 From =~ /\bcasino\b/i
> > This one would have been flagged as spam when using the default
> > required_score spam threshold of 5.0.
>
> I'm thinking about reducing that back to the default. I initially set it
> higher while finding out how to use SA.
I see. Something to keep in mind when pondering if it's actually worth
the effort of writing custom rules -- it might not, if you're going to
use the default anyway.
> > Also, I notice you're apparently
> > not using Bayes, which likely could raise the score above your 6.0
> > threshold, when trained on these.
>
> Not entirely. Its enabled but I'm only using auto-learn with default
> thresholds. However its probably not doing much at present because I
> recently reset it by deleting the bayes database.
Ah, so that's why it didn't show up -- since dropping your Bayes DB, SA
didn't learn sufficient ham and spam mail (200 each by default). You
should bootstrap and do some initial learning with existing ham and spam
respectively.
Also, as you can see in this example, you specifically should train
low-scoring and missed spam after the initial training. SA did not
auto-learn this one, because it is way below the threshold(s).
> > On my check the sample also scored 0.8 for SPF_HELO_SOFTFAIL. Plus
> > Pyzor, which is not enabled by default unless you install Pyzor.
>
> Noted.
Pyzor is more complicated to set up and heavy-weight. The missing
SPF_HELO_SOFTFAIL though likely is simply because you don't have the
Perl Mail::SPF module installed. If you do, it should start working
out-of-the-box.
> > Oh, and then I got a custom rule worth 0.5 for any single Relay, direct
> > client to MX mail.
>
> Nope, I'm not seeing that one.
That's because it is a custom rule on my setup. :)
guenther
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Phishing rules?
On Sat, 2008-11-01 at 18:01 -0400, Joseph Brennan wrote:
> Karsten Bräckelmann <[EMAIL PROTECTED]> wrote:
>
> > Anyway, can't you educate your users [...]
>
> Experience tells me the answer is no, or at least a qualified no. And
> we're supposed to have smart people here.
>
> I suppose the number of responses might be even higher if we did not
> try to educate people. I'll try to comfort myself with that.
Joseph, I was afraid you or Micah would tell me exactly that. *sigh*
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Phishing rules?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Micah Anderson wrote: [...] > Report them where exactly? > > Here is an example one I received recently, note the hideously low bayes > score on this one, caused it to autolearn as ham even, grr. > > > From [EMAIL PROTECTED] Fri Oct 31 20:00:45 2008 > Return-Path: <[EMAIL PROTECTED]> > X-OfflineIMAP-x792266711-4c6f63616c-494e424f58: > 1225549253-0134941395044-v6.0.3 > X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on spamd2.riseup.net > X-Spam-Level: > X-Spam-Status: No, score=-3.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW > autolearn=ham version=3.2.5 > Delivered-To: [EMAIL PROTECTED] > Received: from mx1.riseup.net (unknown [10.8.0.3]) > by cormorant.riseup.net (Postfix) with ESMTP id 58BFA19581F7 > for <[EMAIL PROTECTED]>; Fri, 31 Oct 2008 20:00:40 -0700 (PDT) > Received: from master.debian.org (master.debian.org [70.103.162.29]) > by mx1.riseup.net (Postfix) with ESMTP id AA4465701D1 > for <[EMAIL PROTECTED]>; Fri, 31 Oct 2008 20:00:39 -0700 (PDT) [...] Contact debian.org's list manager instead of other actions. That's more reasonable. And more, i think we need to study about DKIM specification [RFC4871] to make the Internet of trust ;; byunghee -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.0 (FreeBSD) iEYEARECAAYFAkkNE/oACgkQsCouaZaxlv5YqACeIozvqJ96tTKm4oLnRySHAfc1 xUIAoI0G4FXr+PqdqvULxm0V+xZOSP77 =8NV0 -END PGP SIGNATURE-
Re: OT: DNS restrictions for a mail server
Daniel J McDonald wrote: On Wed, 2008-10-22 at 23:59 +0200, Jonas Eckerman wrote: Matus UHLAR - fantomas wrote: In my understanding, these are different concepts. In particular, RMX doesn't hijack the TXT record, which is one of the major sins of SPF. Yes, but they both were designed to do the same work. SPF however can do more. TXT was used because nothing else could, at least I think so. They could have used a prefix "host" to avoid hijacking the main TXT record. (So you'd query the TXT record for "__spf__.domain.tld" or something like that instead of the TXT record for "domain.tld" when checking SPF. Could of, but underscores are not a legal character in domain names. no, they are perfectly legal "in domain names". They are being used in DKIM. don't confuse with hostnames. And now BIND 9.4 supports the SPF RR type, so we just have to wait a decade or two until everyone still running bind 4.0 has a chance to upgrade ;-) and a century until everyone has a chance to upgrade their mail software to use the new record ;-p
