Re: sought rules updates
Hi I have the same "problem" regards Stan Has anyone seen any updates to the sought rules lately? It seems like it's been about 4 or 5 days now since I've seen any via sa-update. -- Chris KeyID 0xE372A7DA98E6705C
Re: sought rules updates
I haven't seen an update from sa-update in months. What version is current? I have dbg: dns: 5.2.3.updates.spamassassin.org => 709395, parsed as 709395 showing here. This even after a dns crash and replace. Nigel On Tue, 9 Dec 2008 09:39:11 +0100, Leveau Stanislas <[EMAIL PROTECTED]> wrote: >Hi > >I have the same "problem" > >regards >Stan > >> Has anyone seen any updates to the sought rules lately? It seems like it's >> been about 4 or 5 days now since I've seen any via sa-update. >> >> -- >> Chris >> KeyID 0xE372A7DA98E6705C >> > >
Re: sought rules updates
the current Sought version : # UPDATE version 320722979 and spamassassin : # UPDATE version 709395 I haven't seen an update from sa-update in months. What version is current? I have dbg: dns: 5.2.3.updates.spamassassin.org => 709395, parsed as 709395 showing here. This even after a dns crash and replace. Nigel On Tue, 9 Dec 2008 09:39:11 +0100, Leveau Stanislas <[EMAIL PROTECTED]> wrote: Hi I have the same "problem" regards Stan Has anyone seen any updates to the sought rules lately? It seems like it's been about 4 or 5 days now since I've seen any via sa-update. -- Chris KeyID 0xE372A7DA98E6705C
heads up: php5 security and emergency fix
Last week, a security bullet was released about security problems with php5 prior to version 5.2.7. Yesterday, a major regression testing problem was fixed in 5.2.7, with the removal of the 5.2.7 binaries, and the emergency release of 5.2.8. (so, if you tried to upgrade, or are freebsd users trying to upgrade to 5.2.7 last night, it failed) Further, 5.2.7 (and 5.2.8) included php5-pcre libraries, so removal of pcre.so in ../php/extensions.ini is necessary to remove the cli error. Last issue, for those using spamassassin sa-compile, a warning is output when compiling php5 5.2.8, requiring re2c version at least 13.4. so, bottom line: if you upgraded to 5.2.7, you need to upgrade to 5.2.8, clean the extensions.ini file, and upgrade re2c. for freebsd users, just sync your ports tree, and run: pkg_delete -f php5-pcre\* (as per /usr/ports/UPDATING) portupgrade php5 re2c you might also want to run pkgdb -F and portupgrade php5-imap php5-zlib. -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _
Re: sought rules updates
On Mon, 2008-12-08 at 20:00 -0600, Chris wrote:
> Has anyone seen any updates to the sought rules lately? It seems like it's
> been about 4 or 5 days now since I've seen any via sa-update.
I believe this is due to the recent SSL cert update for ASF svn. Changed
without a heads up in advance... :( This broke automated processes.
AFAIK Justin is aware of this, and hopefully will have fixed it
soon. :)
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: sought rules updates
On Tue, 2008-12-09 at 08:51 +, Nigel Frankcom wrote:
> I haven't seen an update from sa-update in months. What version is
> current?
Nigel, Chris wasn't talking about the stock rule-set, but the
third-party JM_SOUGHT rules. The latter usually are updated multiple
times a day, while the stock rules are updated very infrequently only,
when needed.
> >> Has anyone seen any updates to the sought rules lately? It seems like it's
> >> been about 4 or 5 days now since I've seen any via sa-update.
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Detecting Porn photos
A: No.
Q: Should I put my reply above quoted text?
On Mon, 2008-12-08 at 21:14 -0600, Luis Daniel Lucio Quiroz wrote:
> Has anyone try this?
>
> http://prag.diee.unica.it/n3ws1t0/imageCerberus
Luis, seriously -- what the...? Come on, why did you Cc me on that
question? I clearly stated I don't know any such thing, so my answer to
this useless question undoubtful is... No, I haven't.
Since you included a full quote, but didn't care to comment or answer
even a single bit, I can't help but understand it you do not have a
problem detecting spam, but want porn.
You'll get better help when actually reading and getting back to
follow-ups, rather than dumping random questions without getting into
any kind of conversation with us.
Real users can be annoying at times, but in my experience they usually
are at least trying to understand -- slowly I get the impression admins
are much more ignorant and stubborn. *shrug*
> On Friday 28 November 2008 09:52:22 Karsten Bräckelmann wrote:
> > On Thu, 2008-11-27 at 22:44 -0600, Luis Daniel Lucio Quiroz wrote:
> > > I wonder if there is any module for SA to detect pornographic photos, not
> > > only OCR.
> >
> > Not that I know -- and it wouldn't be easy to do...
> >
> > Anyway, unless you're just curious, it's the wrong question IMHO. The
> > real question is, why do they slip by for you. We might be able to help
> > and give some hints, if you provide some details about your setup and
> > most importantly spamples [1].
> >
> > Haven't seen porn in spam for a long time...
> >
> > guenther
> >
> >
> > [1] Full spam message including headers. Put them up a pastebin that
> > supports showing the *raw* paste or your own web server.
--
char *t="[EMAIL PROTECTED]";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Twist on Day Old Bread list idea
I think this would be a good DNS based list. It could have a slightly longer TTL than most DNS lists, as it's timeline would be generally pretty predictable. This would make the DNS caching an effective and efficient way to utilize the data. I'd like to be able to implement it such as "if the nameservers of the domain aren't in my IP range, do this test". On Wed, Dec 03, 2008 at 10:53:39AM -0500, Joseph Brennan wrote: > > > --On Tuesday, December 2, 2008 12:23 -0800 Marc Perkel <[EMAIL PROTECTED]> > wrote: > > > >You query hostkarma.junkemailfilter.com > > > >Not listed = new (new to us anyhow) > >127.0.2.1 = last day > >127.0.2.2 = last week > >127.0.2.3 = older than a week > > > >OK - so here's the rub. This catches 100% of all new domains. But - it > >will have false positives because if an old domain has never emailed > >anyone we filter for then it would also be considered new. We keep 40 > >days of data. So - this list might be useful as long as it was combined > >with additional tests (probably spambot tests) as a score enhancer. > > > It's analogous to greylisting, to say that if we have not seen this > domain in the past N days, we tempfail, or score, or something. > > However I think it would be better to have a software package that > implements this, rather than a remotely managed list, since each system > would have its own set of domains that it sees frequently (or that it > wants to whitelist permanently). > > Joseph Brennan > Columbia University Information Technology > > > -- /* Jason Philbrook | Midcoast Internet Solutions - Wireless and DSL KB1IOJ| Broadband Internet Access, Dialup, and Hosting http://f64.nu/ | for Midcoast Mainehttp://www.midcoast.com/ */
Re: Spam slipping through
On 8-Dec-2008, at 00:44, mouss wrote: DKIM is not a blacklister, but a whitelist based on if sender really use monster.com mta mail server or not :) indeed. Checking my SPAM folder it seems that a LOT of spam gets DKIM_VERIFIED I have tons that look, essentially, like this: DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=main; d=etacbase07.com; b=eVw4gychbdyZ01HyEGfBa7zjoxxjaaqVy +vHu9UeYI7+aKC971+ySnccA4klNvcBOIkAbiSgWl4YWXCn5SrkEg==; h=Received:Message-ID:Date:From:To:Subject:List-Unsubscribe:Mime- Version:Content-Type; Received: by 69.30.205.166 with SMTP id 4gki5ruu8m4116d for <*munged*>; Tue, 09 Dec 2008 13:11:33 -0600 Message-ID: <[EMAIL PROTECTED]> Date: Tue, 09 Dec 2008 13:11:34 -0600 From: "Goya Foods" <[EMAIL PROTECTED]> To: "Subscriber" <*munged*> So it looks like the only usefulness of DKIM for spam checking is really for the big mailers like gmail, paypal, ebay, etc? This message failed the SA check with a score over 11, so I'm not complaining. I have a dkim.cf that is pretty basic, I guess, but I've recently tweaked the settings a bit: score DKIM_VERIFIED -1.3 score DKIM_SIGNED1 score USER_IN_DKIM_WHITELIST -10.0 score USER_IN_DEF_DKIM_WL -3.3 score ENV_AND_HDR_DKIM_MATCH -0.7 score L_NOTVALID_GMAIL 3.0 score L_NOTVALID_PAY 10 I'm still testing these settings. -- I know that you believe you understand what you think I said but I am not sure you realize that what you heard is not what I meant.
Re: sought rules updates
On 9-Dec-2008, at 08:15, Karsten Bräckelmann wrote: On Tue, 2008-12-09 at 08:51 +, Nigel Frankcom wrote: I haven't seen an update from sa-update in months. What version is current? Nigel, Chris wasn't talking about the stock rule-set, but the third-party JM_SOUGHT rules. The latter usually are updated multiple times a day, while the stock rules are updated very infrequently only, when needed. How does one use sa-update to find/get new 3rd party rules? As I recall, rules-du-jour was EOLed. Or do you have to get them first, then sa-update will update them? I'm thtinking the old rules like random.cf tripwire.cf 70_sc_top200.cf Botnet.pm 70_sare_uri_eng.cf etc should all be removed? -- I know that you believe you understand what you think I said but I am not sure you realize that what you heard is not what I meant.
Re: sought rules updates
LuKreme wrote: > On 9-Dec-2008, at 08:15, Karsten Bräckelmann wrote: >> On Tue, 2008-12-09 at 08:51 +, Nigel Frankcom wrote: >>> I haven't seen an update from sa-update in months. What version is >>> current? >> >> Nigel, Chris wasn't talking about the stock rule-set, but the >> third-party JM_SOUGHT rules. The latter usually are updated multiple >> times a day, while the stock rules are updated very infrequently only, >> when needed. > > > How does one use sa-update to find/get new 3rd party rules? As I > recall, rules-du-jour was EOLed. > > Or do you have to get them first, then sa-update will update them? > > I'm thtinking the old rules like > > random.cf > tripwire.cf > 70_sc_top200.cf > Botnet.pm > 70_sare_uri_eng.cf > > etc should all be removed? > Both the official SA rules and 3rd party rules can be updated via sa-update. For information and instructions, see: http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt Bill
Re: sought rules updates
On 9-Dec-2008, at 12:48, LuKreme wrote: I'm thtinking the old rules like 70_sc_top200.cf etc should all be removed? Just to be clear, all I have currently active is: -rw-r--r-- 1 root wheel3278 Dec 9 12:30 dkim.cf -rw-r--r-- 1 root wheel1749 Dec 7 17:08 init.pre drwx-- 2 root wheel 512 Dec 7 17:24 sa-update-keys -rw-r--r-- 1 root wheel1194 Dec 7 17:23 v312.pre and I just installed dkim.cf -- I used to hate the sun, because it'd shone on everything I'd done. Made me feel that all that I had done was overfill the ashtray of my life."
Re: sought rules updates
On Mon, 8 Dec 2008, Chris wrote: Has anyone seen any updates to the sought rules lately? It seems like it's been about 4 or 5 days now since I've seen any via sa-update. Ditto here. [EMAIL PROTECTED] $ ll /var/lib/spamassassin/3.001008/sought_rules_yerp_org total 320 -rw-r--r-- 1 root root 24156 Dec 4 04:08 20_sought.cf -rw-r--r-- 1 root root 292821 Dec 4 04:08 20_sought_fraud.cf -rw-r--r-- 1 root root 29 Dec 4 04:08 MIRRORED.BY SVN is still getting commits... http://svn.apache.org/viewvc/spamassassin/rules/trunk/sandbox/jm/20_sought_fraud.cf -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Of the twenty-two civilizations that have appeared in history, nineteen of them collapsed when they reached the moral state the United States is in now. -- Arnold Toynbee --- 6 days until Bill of Rights day
Problem with faked return-path or something like that...!
Hi there, i hope someone can help, i surfed the whole web with no answer... We are using Communigate Pro with Spamassasin, now we have a problem with specific spammail and don't know how to solve it. The spammer sends us spam e-mails which includes as "return-path" one of our mail-adressess. So we never get the spam mail, because Spamassasin deletes that message, but we gat the "Reject" Mail from our Mail-Server to the return-path adress which is as i said always one of our adressess in this spammails. The sender of this Reject-Mail is of course our own mailerdaemon, wo we can't block that generally because we need it. So the major problem is that the spammer is using faked return-path adresses, and i really don't know how we can fix that problem. Thanks for your help. -- View this message in context: http://www.nabble.com/Problem-with-faked-return-path-or-something-like-that...%21-tp20925209p20925209.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Problem with faked return-path or something like that...!
On Tue, December 9, 2008 23:37, hofmae wrote: > i hope someone can help, i surfed the whole web with no answer... problem is not the fake return path, its problem is that you bounce invalid recipient, and the spammers know that > We are using Communigate Pro with Spamassasin, now we have a problem > with specific spammail and don't know how to solve it. using postfix here > The spammer sends us spam e-mails which includes as "return-path" > one of our mail-adressess. yes > So we never get the spam mail, because Spamassasin deletes that > message, but we gat the "Reject" Mail from our Mail-Server > to the return-path adress which is as i said always one of our > adressess in this spammails. what recipient did not exists ? > The sender of this Reject-Mail is of course our own mailerdaemon, wo > we can't block that generally because we need it. if you really rejected the mail you did not have a problem > So the major problem is that the spammer is using faked return-path > adresses, and i really don't know how we can fix that problem. http://www.google.dk/search?q=Communigate+Pro+with+Spamassasin&ie=utf-8&oe=utf-8&aq=t&rls=org.gentoo:da:official&client=firefox-a some links to more info -- Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: sought rules updates
On 9-Dec-2008, at 12:58, Bill Landry wrote: Both the official SA rules and 3rd party rules can be updated via sa-update. For information and instructions, see: http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt Ah yes, I remember a lot of those from the days run rjd. Geez there's a lot of them... and they look like they are very old, with last updated dates in 2005-2006 and none newer than Aug 2007. I tried this: $ cd /etc/mail/spamassassin $ wget http://yerp.org/rules/GPG.KEY % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total Spent Left Speed 100 2437 100 24370 0 10583 0 --:--:-- --:--:-- --:--:-- 1291k $ sa-update --import GPG.KEY $ sa-update --channel sought.rules.yerp.org error: GPG validation failed! The update downloaded successfully, but the GPG signature verification failed. channel: GPG validation failed, channel failed (sa-update-keys/pubring.gpg does increase in size after I run the import command) -- Criticizing evolutionary theory because Darwin was limited is like claiming computers don't work because Chuck Babbage didn't foresee Duke Nukem 3.
Re: sought rules updates
On Tue, 2008-12-09 at 16:50 -0700, LuKreme wrote: > On 9-Dec-2008, at 12:58, Bill Landry wrote: > > Both the official SA rules and 3rd party rules can be updated via > > sa-update. For information and instructions, see: > > > > http://daryl.dostech.ca/sa-update/sare/sare-sa-update-howto.txt > > Ah yes, I remember a lot of those from the days run rjd. Geez there's > a lot of them... and they look like they are very old, with last > updated dates in 2005-2006 and none newer than Aug 2007. > > I tried this: > > $ cd /etc/mail/spamassassin > $ wget http://yerp.org/rules/GPG.KEY >% Total% Received % Xferd Average Speed TimeTime > Time Current > Dload Upload Total Spent > Left Speed > 100 2437 100 24370 0 10583 0 --:--:-- --:--:-- > --:--:-- 1291k > $ sa-update --import GPG.KEY > $ sa-update --channel sought.rules.yerp.org > error: GPG validation failed! > Try: sa-update --gpgkey 6C6191E3 --channel sought.rules.yerp.org John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 587001
Re: Spam slipping through
On Tue, 2008-12-09 at 12:40 -0700, LuKreme wrote: > Checking my SPAM folder it seems that a LOT of spam gets DKIM_VERIFIED > > So it looks like the only usefulness of DKIM for spam checking is > really for the big mailers like gmail, paypal, ebay, etc? The usefulness of SPF, DKIM and related technologies is for detecting *forgeries*. Its relation to spam checking is indirect at best, and is primarily for reliable whitelisting. If you know a domain or user does not send spam, and they prove the authenticity of their mail using one of these methods, then you can do a couple of things: whitelist any authenticated mail from that domain/user, and discard any unauthenticated mail from that domain/user. Paypal and banks are the canonical examples, to combat phishing. If the trustworthiness (from a spam perspective) of a domain is unknown (e.g. gmail, yahoo, and other freemail services), then knowing that a sender who claims to be from that domain is actually sending mail via that domain's servers is of limited usefulness. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ [EMAIL PROTECTED]FALaholic #11174 pgpk -a [EMAIL PROTECTED] key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- You do not examine legislation in the light of the benefits it will convey if properly administered, but in the light of the wrongs it would do and the harms it would cause if improperly administered. -- Lyndon B. Johnson --- 6 days until Bill of Rights day
google groups abuse for spam
I got a spam with just a link to a google groups page https://ecm.netcore.co.in/tmp/spam_google.txt Now I am scoring all mails with links to groups.google but (may not be a gr8 idea though )
Re: sought rules updates
On 9-Dec-2008, at 17:09, John Horne wrote: Try: sa-update --gpgkey 6C6191E3 --channel sought.rules.yerp.org Ok, that gives me no error (where did you find/get the 6C6191E3?). It sits for about 20-30 seconds and then I get a prompt back. But as far as I can tell, nothing has changed. There is no new .cf file in /etc/ mail/spamassassin (which is a link /etc/mail/spamassassin -> ../../usr/ local/etc/mail/spamassassin if that matters), for example. -- These are the thoughts that kept me out of the really good schools. -- George Carlin
Re: 1000 times easier to just do sa-update --nogpg
On 5-Sep-2008, at 15:32, mouss wrote: curl -o sa.gpg http://spamassassin.apache.org/updates/GPG.KEY echo "24F434CE" >> gpg.keys sa-update --import sa.gpg echo "updates.spamassassin.org" >> channel.list curl -o jm.gpg http://yerp.org/rules/GPG.KEY echo "6C6191E3" >> gpg.keys sa-update --import jm.gpg echo "sought.rules.yerp.org" >> channel.list curl -o sare.gpg http://daryl.dostech.ca/sa-update/sare/GPG.KEY echo "856AA88A" >> gpg.keys sa-update --import sare.gpg #echo "" >> channel.list The three lines that are echo "HEXCODE" >> gpg.keys are the issue for me, I guess. Where do those numbers come from? -- 'How do you know I'm mad?' said Alice 'You must be' said the Cat 'or you wouldn't have come here.'
Re: 1000 times easier to just do sa-update --nogpg
On Tue, Dec 09, 2008 at 10:54:23PM -0700, LuKreme wrote: > >echo "24F434CE" >> gpg.keys > >echo "6C6191E3" >> gpg.keys > >echo "856AA88A" >> gpg.keys > > The three lines that are echo "HEXCODE" >> gpg.keys are the issue for > me, I guess. Where do those numbers come from? They're the keyids for the given channels you're using. The channel publishers should state the keyid in use for the channel. You need to specify them so that when sa-update checks the signature on the update file, it will know what keyid to consider valid, which protects you from someone else creating a channel update file and signing it with another random key. -- Randomly Selected Tagline: "I've always tried to teach you two things. Never let them see you bleed, always have an escape plan." - Q in "The World is Not Enough" pgp9AX5qHLwiq.pgp Description: PGP signature
Re: 1000 times easier to just do sa-update --nogpg
On 9-Dec-2008, at 23:11, Theo Van Dinter wrote: On Tue, Dec 09, 2008 at 10:54:23PM -0700, LuKreme wrote: curl -o sa.gpg http://spamassassin.apache.org/updates/GPG.KEY echo "24F434CE" >> gpg.keys sa-update --import sa.gpg echo "updates.spamassassin.org" >> channel.list The three lines that are echo "HEXCODE" >> gpg.keys are the issue for me, I guess. Where do those numbers come from? They're the keyids for the given channels you're using. The channel publishers should state the keyid in use for the channel. You need to specify them so that when sa-update checks the signature on the update file, it will know what keyid to consider valid, which protects you from someone else creating a channel update file and signing it with another random key. Ok, where in those directions are you supposed to find the keyid? -- Growing up leads to growing old, and then to dying/And dying to me don't sound like all that much fun.
Re: sought rules updates
On Tue, 9 Dec 2008, LuKreme wrote: (where did you find/get the 6C6191E3?). Not too hard: Do a search for 'sought' on the SA wiki page (which is linked off of http://spamassassin.apache.org/): http://wiki.apache.org/spamassassin/ The very first link provided this: http://wiki.apache.org/spamassassin/SoughtRules?highlight=%28sought%29 Following the link stating: "Here are instructions on how to use it." it states this: sudo sa-update \ --gpgkey 6C6191E3 --channel sought.rules.yerp.org
