date:20081210


On 10-Dec-2008, at 22:18, SM wrote:

At 20:39 10-12-2008, LuKreme wrote:

And the source of that number is, evidently, a complete mystery.
That's my point.  I've seen lots of instructions like this:

# wget http://somesite.tld/somepath/GPG.KEY
# sudo sa-update --import GPG.KEY
# sudo sa-update --gpgkey 0E28B3DC --channel uber.rule.somesite.tld

where the '0E28B3DC' has just magically appeared as if created from
the ether.


Once you have imported the key, you can use gpg --list-keys to find  
the key ID.


AHA!  That's the crucial step I was missing and no one seemed able to  
provide.  Thank You!  There's progress at least:


I ssh to the server and then I sudo su (so I am sure I have discarded  
my own login environment, I do not normally do this)


mail# gpg --list-keys /etc/mail/spamassassin/sa-update-keys/pubring.gpg
gpg: error reading key: No public key

At least on my FreeBSD, there's no man page for gpg, and the --help  
doesn't point out anything obvious.  if I run it without specifying a  
file, I get this:


mail# gpg -k
/root/.gnupg/pubring.gpg

pub   1024D/11F63C51 2002-02-28
uid  Jamie Cameron <[EMAIL PROTECTED]>
sub   1024g/1B24BE83 2002-02-28

By adding the key to the keychain, you are trusting it.  The  
security part is that you can verify whether the signer generated  
the updates.  Even if the host is compromised, you are "safe" as  
long as the private key is secure and the signer still has your trust.


Riiight, but the public key I put in the keychain does all that, no?   
I'm still unclear on how the --gpgkey makes it more secure.  If the  
file is signed, the signature is checked against the public key that I  
have in pubring.gpg.  What does the gpgkey do?


--
I want a party where all the women wear new dresses and all the men
drink beer. -- Jason Gaes

Re: google groups abuse for spam

2008-12-10 Thread ram


On Wed, 2008-12-10 at 13:09 +, Ned Slider wrote:
> ram wrote:
> > I got a spam with just a link to a google groups page
> > 
> > https://ecm.netcore.co.in/tmp/spam_google.txt
> > 
> > 
> > Now I am scoring all mails with links to groups.google but 
> > (may not be a gr8 idea though )
> > 
> 
> Bayes training may help :)
> 
> Google's Notebook is currently being abused too. See here:
> 
> http://www.marshal.com/trace/traceitem.asp?article=835


Google should have better interfaces to report abuse that is the minimum
they could do 

I Tried reporting a google group ... there is no specific page that
google has for this

Re: sought rules updates

2008-12-10 Thread SM


At 20:39 10-12-2008, LuKreme wrote:

And the source of that number is, evidently, a complete mystery.
That's my point.  I've seen lots of instructions like this:

# wget http://somesite.tld/somepath/GPG.KEY
# sudo sa-update --import GPG.KEY
# sudo sa-update --gpgkey 0E28B3DC --channel uber.rule.somesite.tld

where the '0E28B3DC' has just magically appeared as if created from
the ether.


Once you have imported the key, you can use gpg --list-keys to find the key ID.


Do you see that there is a crucial step missing there?  Where did that


Yes.


gpgkey value come from?  If it wasn't provided in these instructions
(like say you were looking for a ruleset at foo.bar.tld/GPG.KEY but
hadn't yet discovered the page that had the magic hex code), how do
you find it?  Can you generate it.  Is is simply a hash of the gpg
keyfile, or something else?


The key ID is the low order 64 bits of the fingerprint.


It's a bit of "hey, now just fill in this number we hopefully have
given you.  Don't worry about what it means, or how it works, or where
it came from. Just copy&paste and you'll be fine."

Strangely enough, that does not fill me with the highest degree of
confidence.  Not much more so that --nogpg.


That's not the right way to do it if we are concerned about trust 
relationships.  As you said, unless you have confidence in what is 
published on the webpage, it's like running sa-update with the 
--nogpg parameter.



gpgkey.  I've added the key to the keychain as a trusted key, that is
enough to make it secure.  How is this 8 digit hex code making
anything any more secure?


By adding the key to the keychain, you are trusting it.  The security 
part is that you can verify whether the signer generated the 
updates.  Even if the host is compromised, you are "safe" as long as 
the private key is secure and the signer still has your trust.


Regards,
-sm

Re: sought rules updates

On 10-Dec-2008, at 20:36, SM wrote:

At 13:51 10-12-2008, LuKreme wrote:

I read the man page, where there is no mention of how to obtain this
number. In fact, I read many posts, and many webpages and have still
not found that information. I've seen the IDs in others posts, sure,
but where do they originate?

sa-update uses GPG (GNU Privacy Guard) to verify the authenticity of
the updates. The Sought rules webpage mentions how to download the
GPG key. If you want to understand how GPG works or how to use GPG
keys, you should read the GPG documentation.

Yes, downloading the key is not the issue.

Even searching the wiki (which just links to the previously linked http://taint.org/2007/08/15/004348a.html
)is merely a "here's the random-looking digits you pass to --
gpgkey"
and not a "here's what the --gpgkey is, means, and how it's
generated".

The gpgkey parameter for sa-update specifies which GPG key ID should
be trusted to sign the updates. You can use the gpg command to find
out what the key ID is. That's not a random number;

I said 'random looking'

it's a hexadecimal number which identifies the key.

And the source of that number is, evidently, a complete mystery.
That's my point. I've seen lots of instructions like this:

# wget http://somesite.tld/somepath/GPG.KEY
# sudo sa-update --import GPG.KEY
# sudo sa-update --gpgkey 0E28B3DC --channel uber.rule.somesite.tld

where the '0E28B3DC' has just magically appeared as if created from
the ether.

Do you see that there is a crucial step missing there? Where did that
gpgkey value come from? If it wasn't provided in these instructions
(like say you were looking for a ruleset at foo.bar.tld/GPG.KEY but
hadn't yet discovered the page that had the magic hex code), how do
you find it? Can you generate it. Is is simply a hash of the gpg
keyfile, or something else?

It's a bit of "hey, now just fill in this number we hopefully have
given you. Don't worry about what it means, or how it works, or where
it came from. Just copy&paste and you'll be fine."

Strangely enough, that does not fill me with the highest degree of
confidence. Not much more so that --nogpg.

Because sa-update is designed to provide updates in a secure way.
If you want the simplest way, you can ignore these steps and face
the consequences when something goes wrong.

Oddly enough, I am able to encrypt emails, sign emails, verify signed
mails, login to ssh ports on remote servers and do a whole host of
secure things without ever having encountered anything like this
gpgkey. I've added the key to the keychain as a trusted key, that is
enough to make it secure. How is this 8 digit hex code making
anything any more secure?

--
I know that you believe you understand what you think I said but I
am not sure you realize that what you heard is not what I
meant.

Re: Spam slipping through


On 10-Dec-2008, at 16:01, mouss wrote:

while the whitelisting part is ok, the "blacklisting" part is risky:
- they could mess up with their dns config during an update or  
they

could add a new MTA, or reconfigure their MTA and "forget" to pass
throgh the dkim signing application...

- they may want to allow some of their users to post via their ISP,  
hotel,


- ...

so 5 is a little too high.


Ah, gotcha.  I am scoring whitelist at -5 though, so a 5 still puts  
them at 0.  Without other spam tags, they should still pass, no?


On 10-Dec-2008, at 16:52, Benny Pedersen wrote:

On Wed, December 10, 2008 23:16, LuKreme wrote:

Which would, I think, score them a full 5 points up for failing
DKIM, but give them a negative score from USER_IN_DKIM_WHITELIST?


try:

def_whitelist_auth [EMAIL PROTECTED]
whitelist_auth [EMAIL PROTECTED]

why have the extra step with add score for not verified ?


Because, let's say comapny.tld is mybank.tld and messages that fail to  
pass the check should be tagged up, right?


--
Strange things are afoot at the Circle K

Re: sought rules updates

2008-12-10 Thread SM


At 13:51 10-12-2008, LuKreme wrote:

I read the man page, where there is no mention of how to obtain this
number. In fact, I read many posts, and many webpages and have still
not found that information.  I've seen the IDs in others posts, sure,
but where do they originate?


sa-update uses GPG (GNU Privacy Guard) to verify the authenticity of 
the updates.  The Sought rules webpage mentions how to download the 
GPG key.  If you want to understand how GPG works or how to use GPG 
keys, you should read the GPG documentation.


Even searching the wiki (which just links to the previously linked 
http://taint.org/2007/08/15/004348a.html  )is merely a "here's the 
random-looking digits you pass to --gpgkey"

and not a "here's what the --gpgkey is, means, and how it's generated".


The gpgkey parameter for sa-update specifies which GPG key ID should 
be trusted to sign the updates.  You can use the gpg command to find 
out what the key ID is.  That's not a random number; it's a 
hexadecimal number which identifies the key.



Why doesn't sa-learn simply trust the keys that are added to its
keychain without this extra (and at least for me, confusing) step? I'm
starting to think the simplest way to do this is just ignore the gpg
flags entirely and use --nogpg.  What's the downside to this (other
than the obvious DNS hijacking to point the URL to some spammer site
with bad data which seems a remote enough chance to ignore).


Because sa-update is designed to provide updates in a secure way.  If 
you want the simplest way, you can ignore these steps and face the 
consequences when something goes wrong.


Regards,
-sm

RE: sought rules updates

2008-12-10 Thread RobertH


> 
> Right. I removed most if not all of the SARE rules on most 
> machines some months ago with no ill effects.
> 
> Kai

what ones did you keep? if you recall, any particular reason why?

 - rh

Re: Spam slipping through

2008-12-10 Thread Benny Pedersen


On Wed, December 10, 2008 23:16, LuKreme wrote:

> Which would, I think, score them a full 5 points up for failing
> DKIM, but give them a negative score from USER_IN_DKIM_WHITELIST?

try:

def_whitelist_auth [EMAIL PROTECTED]
whitelist_auth [EMAIL PROTECTED]

why have the extra step with add score for not verified ?

another way is:

whitelist_auth [EMAIL PROTECTED]
unwhitelist_auth [EMAIL PROTECTED]

not tested  here but should work in the config

-- 
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

Re: sought rules updates

[EMAIL PROTECTED]>
Reply-To: users@spamassassin.apache.org

LuKreme wrote on Wed, 10 Dec 2008 14:51:47 -0700:

> I read the man page, where there is no mention of how to obtain this  
> number. In fact, I read many posts, and many webpages and have still  
> not found that information.  I've seen the IDs in others posts, sure,  
> but where do they originate?

I'm not an expert on this. You need something to identify a key. This is 
probably some hash derived from the key (by means of some gpg tool).

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: Spam slipping through

LuKreme a écrit :
> On 10-Dec-2008, at 12:10, Kelson wrote:
>> Successful sender verification ALONE doesn't tell you much, because it
>> doesn't distinguish between a legit sender who uses DKIM and a spammer
>> who uses DKIM (or a spammer abusing a large sender).  This is why the
>> default scores on DKIM_VERIFIED and DKIM_SIGNED are just enough to
>> track the rule, and not enough to significantly affect the score
> 
> Thank you (and you too, mouss) for the explanation, this does make a lot
> of sense now.  I guess I need to go through all my mail and find the
> DKIM info for the good sites.
> 
> Given that I get mail from company.tld and they used DKIM and I trust it
> if it passes, and given that company.tld is a company where I am getting
> mail from their employees and not from their clients (like not an ISP),
> does this look about right:
> 
> whitelist_from_dkim [EMAIL PROTECTED]
> whitelist_from_dkim [EMAIL PROTECTED]
> header __L_FROM_CTLD From:addr =~ /[EMAIL PROTECTED]/mi
> meta L_NOTVALID_CTLD !DKIM_VERIFIED && __L_FROM_CTLD
> scoreL_NOTVALID_CTLD 5
> 
> Which would, I think, score them a full 5 points up for failing DKIM,
> but give them a negative score from USER_IN_DKIM_WHITELIST?

while the whitelisting part is ok, the "blacklisting" part is risky:
- they could mess up with their dns config during an update or they
could add a new MTA, or reconfigure their MTA and "forget" to pass
throgh the dkim signing application...

- they may want to allow some of their users to post via their ISP, hotel,

- ...

so 5 is a little too high.

I see yahoo mail failing verification (and yes, it is legit mail sent by
a yahoo user via yahoo. no forgery or anything). That should tell you
something ;-p


> 
> And I assume that the dkim.cf that was in /etc/mail/spamassassin/ should
> be in /var/db/spamassassin/3.002.005/ instead?
> 

no. it's your file, so leave it in your "site rules directory"
(/etc/ apparently). /var/{db|lib}/spamassassin/ is for automatic
updates.

Re: sought rules updates

LuKreme a écrit :
> On 10-Dec-2008, at 01:31, Kai Schaetzl wrote:
>> Duane Hill wrote on Wed, 10 Dec 2008 06:53:39 + (UTC):
>>> Do a search for 'sought' on the SA wiki page
>>
>> and read the documentation on sa-update before you ask again ;-)
> 
> I read the man page, where there is no mention of how to obtain this
> number. In fact, I read many posts, and many webpages and have still not
> found that information.  I've seen the IDs in others posts, sure, but
> where do they originate?
> 
> Even searching the wiki (which just links to the previously linked
> http://taint.org/2007/08/15/004348a.html )is merely a "here's the
> random-looking digits you pass to --gpgkey" and not a "here's what the
> --gpgkey is, means, and how it's generated".
> 
> Why doesn't sa-learn simply trust the keys that are added to its
> keychain without this extra (and at least for me, confusing) step? I'm
> starting to think the simplest way to do this is just ignore the gpg
> flags entirely and use --nogpg.  What's the downside to this (other than
> the obvious DNS hijacking to point the URL to some spammer site with bad
> data which seems a remote enough chance to ignore).
> 

I use a script and a config file to do all this stuff:

http://www.netoyen.net/sa/sa-update.sh.txt
http://www.netoyen.net/sa/channel.conf

so my cron has: /usr/local/bin/sa-update.sh > /dev/null

(paths and the restart command (I use amavisd) must be adjusted).

I have been thinking of modifying sa-update directly...

Re: Spam slipping through


On 10-Dec-2008, at 12:10, Kelson wrote:
Successful sender verification ALONE doesn't tell you much, because  
it doesn't distinguish between a legit sender who uses DKIM and a  
spammer who uses DKIM (or a spammer abusing a large sender).  This  
is why the default scores on DKIM_VERIFIED and DKIM_SIGNED are just  
enough to track the rule, and not enough to significantly affect the  
score


Thank you (and you too, mouss) for the explanation, this does make a  
lot of sense now.  I guess I need to go through all my mail and find  
the DKIM info for the good sites.


Given that I get mail from company.tld and they used DKIM and I trust  
it if it passes, and given that company.tld is a company where I am  
getting mail from their employees and not from their clients (like not  
an ISP), does this look about right:


whitelist_from_dkim [EMAIL PROTECTED]
whitelist_from_dkim [EMAIL PROTECTED]
header __L_FROM_CTLD From:addr =~ /[EMAIL PROTECTED]/mi
meta L_NOTVALID_CTLD !DKIM_VERIFIED && __L_FROM_CTLD
scoreL_NOTVALID_CTLD 5

Which would, I think, score them a full 5 points up for failing DKIM,  
but give them a negative score from USER_IN_DKIM_WHITELIST?


And I assume that the dkim.cf that was in /etc/mail/spamassassin/  
should be in /var/db/spamassassin/3.002.005/ instead?


--
The trouble with being a god is that you've got no one to pray to.

Re: sought rules updates


On 10-Dec-2008, at 01:31, Kai Schaetzl wrote:

Duane Hill wrote on Wed, 10 Dec 2008 06:53:39 + (UTC):

Do a search for 'sought' on the SA wiki page


and read the documentation on sa-update before you ask again ;-)


I read the man page, where there is no mention of how to obtain this  
number. In fact, I read many posts, and many webpages and have still  
not found that information.  I've seen the IDs in others posts, sure,  
but where do they originate?


Even searching the wiki (which just links to the previously linked http://taint.org/2007/08/15/004348a.html 
 )is merely a "here's the random-looking digits you pass to --gpgkey"  
and not a "here's what the --gpgkey is, means, and how it's generated".


Why doesn't sa-learn simply trust the keys that are added to its  
keychain without this extra (and at least for me, confusing) step? I'm  
starting to think the simplest way to do this is just ignore the gpg  
flags entirely and use --nogpg.  What's the downside to this (other  
than the obvious DNS hijacking to point the URL to some spammer site  
with bad data which seems a remote enough chance to ignore).


--
Advance and attack! Attack and destroy! Destroy and rejoice!

Re: Spam slipping through

LuKreme a écrit :
> On 8-Dec-2008, at 00:44, mouss wrote:
>>> DKIM is not a blacklister, but a whitelist based on if sender really
>>> use monster.com mta mail server or not :)
>>>
>> indeed.
> 
> 
> Checking my SPAM folder it seems that a LOT of spam gets DKIM_VERIFIED
> 
> I have tons that look, essentially, like this:
> 
> DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
>  s=main; d=etacbase07.com;
>  
> b=eVw4gychbdyZ01HyEGfBa7zjoxxjaaqVy+vHu9UeYI7+aKC971+ySnccA4klNvcBOIkAbiSgWl4YWXCn5SrkEg==;
> 
>  
> h=Received:Message-ID:Date:From:To:Subject:List-Unsubscribe:Mime-Version:Content-Type;
> 
> Received: by 69.30.205.166 with SMTP id 4gki5ruu8m4116d
>   for <*munged*>; Tue, 09 Dec 2008 13:11:33 -0600
> Message-ID: <[EMAIL PROTECTED]>
> Date: Tue, 09 Dec 2008 13:11:34 -0600
> From: "Goya Foods" <[EMAIL PROTECTED]>
> To: "Subscriber" <*munged*>
> 
> So it looks like the only usefulness of DKIM for spam checking is really
> for the big mailers like gmail, paypal, ebay, etc?  This message failed
> the SA check with a score over 11, so I'm not complaining.
> 

If someone says: I'm Joe. then I don't care if he lies or not, unless
"being Joe" means something to me. so if I get mail from
[EMAIL PROTECTED], dkim and dk signed, spf pass, great helo, nice looking
IP, ... etc. I don't care of all this stuff. I check the content.

If someone say: I'm your mother. then I'll ask to see his hand (sorry, I
don't know the name of the story in english. if you can read french,
check
http://satamania-bar.bbflash.net/conte-et-raconte-f5/le-loup-la-chevre-et-les-7-biquets-t908.htm
)

so yes, dkim is a whitelist mechanism that allows you to whitelist known
"names" when they sign their mail with a verifiable signature. it
doesn't mean you can trust any dkim-signed mail (because anybody can
sign his mail) nor that non signed mail is bad (even yahoo sends
unsigned mail) nor that a bad signature is bad (I've seen broken sigs
from yahoo).

> I have a dkim.cf that is pretty basic, I guess, but I've recently
> tweaked the settings a bit:
> 
> score DKIM_VERIFIED  -1.3
> score DKIM_SIGNED1
> score USER_IN_DKIM_WHITELIST -10.0
> score USER_IN_DEF_DKIM_WL -3.3
> score ENV_AND_HDR_DKIM_MATCH -0.7
> score L_NOTVALID_GMAIL  3.0
> score L_NOTVALID_PAY 10
> 
> I'm still testing these settings.
>

Re: sought rules updates

John Horne a écrit :
> On Tue, 2008-12-09 at 22:54 -0700, LuKreme wrote:
>> On 9-Dec-2008, at 17:09, John Horne wrote:
>>> Try:
>>>
>>>sa-update --gpgkey 6C6191E3 --channel sought.rules.yerp.org
>> Ok, that gives me no error (where did you find/get the 6C6191E3?). It  
>> sits for about 20-30 seconds and then I get a prompt back.  But as far  
>> as I can tell, nothing has changed.  There is no new .cf file in /etc/ 
>> mail/spamassassin (which is a link /etc/mail/spamassassin -> ../../usr/ 
>> local/etc/mail/spamassassin if that matters), for example.
>>
> Look in '/var/lib/spamassassin/3*' within there there should be a new
> subdirectory and .cf file.
> 


let's avoid a "linux domination fast, resistance is futile" move ;-p

the directory is

${base}/spamassassin/${version}/

where:

${base} is /var/lib on linux, /var/db on BSD, and something else
elsewhere. (who said C:\Progra~\ ?)

and

${version} is a perl-style version id (i.e. padded with zeros). so it is
3.002005 for 3.2.5.

Re: Spam slipping through

2008-12-10 Thread Kelson


LuKreme wrote:
So it looks like the only usefulness of DKIM for spam checking is really 
for the big mailers like gmail, paypal, ebay, etc?


A pass on DKIM (or any other sender verification system ) is useful for 
any mailer that you *recognize*, regardless of size.


Trivial example: If you regularly do business with SmallCorp, and you 
know they sign their mail using DKIM, you can whitelist those messages 
that claim to be them and come through with a verified DKIM signature.


Successful sender verification ALONE doesn't tell you much, because it 
doesn't distinguish between a legit sender who uses DKIM and a spammer 
who uses DKIM (or a spammer abusing a large sender).  This is why the 
default scores on DKIM_VERIFIED and DKIM_SIGNED are just enough to track 
the rule, and not enough to significantly affect the score


Combine it with a reputation system for those domains, even one as 
simple as a bunch of whitelist_from_dkim rules in your local.cf, and it 
becomes a powerful whitelisting & blacklisting tool.


--
Kelson Vibber
SpeedGate Communications

Re: Problem with faked return-path or something like that...!

2008-12-10 Thread Kevin Parris

You do not have a SpamAssassin problem, you have a Communigate problem.  
Present this issue to your support resources for that product.

The basics of what you want to do are something like this:

When a message is arriving from the internet, and has your own domain in the 
Return-path, it should be REJECTED immediately.  The detection of this 
condition, and the Rejecting of the message, should occur entirely within 
Communigate so that the item does not survive long enough to be presented to SA 
for analysis.

> On Tue, December 9, 2008 23:37, hofmae wrote:
>> We are using Communigate Pro with Spamassasin, now we have a problem
>> with specific spammail and don't know how to solve it.

>> The spammer sends us spam e-mails which includes as "return-path"
>> one of our mail-adressess.

RE: sought rules updates

2008-12-10 Thread Bowie Bailey

[EMAIL PROTECTED] wrote:
> Karsten =?ISO-8859-1?Q?Br=E4ckelmann?= writes:
> > On Mon, 2008-12-08 at 20:00 -0600, Chris wrote:
> > > Has anyone seen any updates to the sought rules lately? It seems
> > > like it's been about 4 or 5 days now since I've seen any via
> > > sa-update. 
> > 
> > I believe this is due to the recent SSL cert update for ASF svn.
> > Changed without a heads up in advance... :(  This broke automated
> > processes. 
> > 
> > ï»¿AFAIK Justin is aware of this, and hopefully will have fixed it
> > soon. :)
> 
> this should be fixed now, I think...
> 
> --j.

Working here.

Thanks!

-- 
Bowie

Re: Inconsistent RBL checks

2008-12-10 Thread Matus UHLAR - fantomas

On 08.12.08 19:09, James Grant wrote:
> Hi all, I've run into a weird situation where spamassassin will (seemingly 
> randomly) only do certain RBL checks. 
[...]
> I've done it with spamd in debug mode and there's never any warnings or 
> errors about it not doing certain checks, it seems to just leave them out.
> 
> Any thoughts on why this might happen?

did you play with rbl_timeout?

-- 
Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I intend to live forever - so far so good.

Re: google groups abuse for spam

2008-12-10 Thread Ned Slider


ram wrote:

I got a spam with just a link to a google groups page

https://ecm.netcore.co.in/tmp/spam_google.txt


Now I am scoring all mails with links to groups.google but 
(may not be a gr8 idea though )




Bayes training may help :)

Google's Notebook is currently being abused too. See here:

http://www.marshal.com/trace/traceitem.asp?article=835

If I add a custom rule I tend to score stuff like this quite low, as 
much as an informational rule to get a handle on how big the issue is at 
any given time.

Re: heads up: php5 security and emergency fix

2008-12-10 Thread Michael Scheidell


this gets me 62 pages:

php5 5.2.7 mq bug


ram wrote:

On Tue, 2008-12-09 at 07:38 -0500, Michael Scheidell wrote:
  
Last week, a security bullet was released about security problems with 
php5 prior to version 5.2.7.
Yesterday, a major regression testing problem was fixed in 5.2.7, with 
the removal of the 5.2.7 binaries, and the emergency release of 5.2.8.





Any reference links , I tried to google. Didnt get any 

  


--
Michael Scheidell, CTO
Phone: 561-999-5000, x 1259
> *| *SECNAP Network Security Corporation

   * Certified SNORT Integrator
   * King of Spam Filters, SC Magazine 2008
   * Information Security Award 2008, Info Security Products Guide
   * CRN Magazine Top 40 Emerging Security Vendors


_
This email has been scanned and certified safe by SpammerTrap(r). 
For Information please see http://www.secnap.com/products/spammertrap/

_

Re: sought rules updates

2008-12-10 Thread Ned Slider


Justin Mason wrote:

Karsten =?ISO-8859-1?Q?Br=E4ckelmann?= writes:

On Mon, 2008-12-08 at 20:00 -0600, Chris wrote:
Has anyone seen any updates to the sought rules lately? It seems like it's 
been about 4 or 5 days now since I've seen any via sa-update.

I believe this is due to the recent SSL cert update for ASF svn. Changed
without a heads up in advance... :(  This broke automated processes.

ï»¿AFAIK Justin is aware of this, and hopefully will have fixed it
soon. :)


this should be fixed now, I think...

--j.



Yes, working here now. Thank you Justin :)

Re: sought rules updates

2008-12-10 Thread Justin Mason


Karsten =?ISO-8859-1?Q?Br=E4ckelmann?= writes:
> On Mon, 2008-12-08 at 20:00 -0600, Chris wrote:
> > Has anyone seen any updates to the sought rules lately? It seems like it's 
> > been about 4 or 5 days now since I've seen any via sa-update.
> 
> I believe this is due to the recent SSL cert update for ASF svn. Changed
> without a heads up in advance... :(  This broke automated processes.
> 
> ï»¿AFAIK Justin is aware of this, and hopefully will have fixed it
> soon. :)

this should be fixed now, I think...

--j.

Re: sought rules updates

2008-12-10 Thread John Horne

On Tue, 2008-12-09 at 22:54 -0700, LuKreme wrote:
> On 9-Dec-2008, at 17:09, John Horne wrote:
> > Try:
> >
> >sa-update --gpgkey 6C6191E3 --channel sought.rules.yerp.org
> 
> Ok, that gives me no error (where did you find/get the 6C6191E3?). It  
> sits for about 20-30 seconds and then I get a prompt back.  But as far  
> as I can tell, nothing has changed.  There is no new .cf file in /etc/ 
> mail/spamassassin (which is a link /etc/mail/spamassassin -> ../../usr/ 
> local/etc/mail/spamassassin if that matters), for example.
> 
Look in '/var/lib/spamassassin/3*' within there there should be a new
subdirectory and .cf file.



John.

-- 
---
John Horne, University of Plymouth, UK  Tel: +44 (0)1752 587287
E-mail: [EMAIL PROTECTED]   Fax: +44 (0)1752 587001

Re: heads up: php5 security and emergency fix

Ram wrote on Wed, 10 Dec 2008 14:48:23 +0530:

> Any reference links , I tried to google. Didnt get any

php.net

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: Problem with faked return-path or something like that...!

hofmae a écrit :
> Hi,
> 
> thanks a lot.
> 
> but the didn't solve anything...
> 
> We need the mailer daemon, we cannot just deactivate it.
> 
> I think the main problem is that there is one of our adressess in the
> return-path. Thats wrong i think, because the spammer sends a spammail with
> one of our adressess in the return-path. The actualy spammail we don't get
> to see...
> 
> Would be great if someone has an idea for us...
> 


Do not reject mail after one of your SMTP servers (or that of your MSP,
ISP, ...) has accepted it. reject during the smtp transaction, when the
smtp client is a "stranger".

Otherwise, tag and (deliver|quarantine|discard|...).

if you bounce spam, the bounce will go to innocent victims. This is
called backscatter and you'll find a lot of infos about it. suffice it
to say that it is considered abusive.

note that if your bounce contains malware, phishing or nigerian scam
text, then you are participating to a criminal activity. you may say
it's not voluntary or plead ignorance. but now you know.

Re: Problem with faked return-path or something like that...!

2008-12-10 Thread hofmae


Hi,

thanks a lot.

but the didn't solve anything...

We need the mailer daemon, we cannot just deactivate it.

I think the main problem is that there is one of our adressess in the
return-path. Thats wrong i think, because the spammer sends a spammail with
one of our adressess in the return-path. The actualy spammail we don't get
to see...

Would be great if someone has an idea for us...



Benny Pedersen wrote:
> 
> 
> On Tue, December 9, 2008 23:37, hofmae wrote:
> 
>> i hope someone can help, i surfed the whole web with no answer...
> 
> problem is not the fake return path, its problem is that you bounce
> invalid recipient, and the spammers know that
> 
>> We are using Communigate Pro with Spamassasin, now we have a problem
>> with specific spammail and don't know how to solve it.
> 
> using postfix here
> 
>> The spammer sends us spam e-mails which includes as "return-path"
>> one of our mail-adressess.
> 
> yes
> 
>> So we never get the spam mail, because Spamassasin deletes that
>> message, but we gat the "Reject" Mail from our Mail-Server
>> to the return-path adress which is as i said always one of our
>> adressess in this spammails.
> 
> what recipient did not exists ?
> 
>> The sender of this Reject-Mail is of course our own mailerdaemon, wo
>> we can't block that generally because we need it.
> 
> if you really rejected the mail you did not have a problem
> 
>> So the major problem is that the spammer is using faked return-path
>> adresses, and i really don't know how we can fix that problem.
> 
> http://www.google.dk/search?q=Communigate+Pro+with+Spamassasin&ie=utf-8&oe=utf-8&aq=t&rls=org.gentoo:da:official&client=firefox-a
> 
> some links to more info
> 
> -- 
> Benny Pedersen
> Need more webspace ? http://www.servage.net/?coupon=cust37098
> 
> 
> 

-- 
View this message in context: 
http://www.nabble.com/Problem-with-faked-return-path-or-something-like-that...%21-tp20925209p20931921.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: sought rules updates

Kai Schaetzl a écrit :
> LuKreme wrote on Tue, 9 Dec 2008 16:50:34 -0700:
> 
>> Geez there's  
>> a lot of them... and they look like they are very old, with last  
>> updated dates in 2005-2006 and none newer than Aug 2007.
> 
> Right. I removed most if not all of the SARE rules on most machines some 
> months ago with no ill effects.
> 

The only one I use now is

90_2tld.cf.sare.sa-update.dostech.net

Re: heads up: php5 security and emergency fix

2008-12-10 Thread ram


On Tue, 2008-12-09 at 07:38 -0500, Michael Scheidell wrote:
> Last week, a security bullet was released about security problems with 
> php5 prior to version 5.2.7.
> Yesterday, a major regression testing problem was fixed in 5.2.7, with 
> the removal of the 5.2.7 binaries, and the emergency release of 5.2.8.
> 

Any reference links , I tried to google. Didnt get any

Re: sought rules updates

LuKreme wrote on Tue, 9 Dec 2008 16:50:34 -0700:

> Geez there's  
> a lot of them... and they look like they are very old, with last  
> updated dates in 2005-2006 and none newer than Aug 2007.

Right. I removed most if not all of the SARE rules on most machines some 
months ago with no ill effects.

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: sought rules updates

Duane Hill wrote on Wed, 10 Dec 2008 06:53:39 + (UTC):

> Do a search for 'sought' on the SA wiki page

and read the documentation on sa-update before you ask again ;-)

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: 1000 times easier to just do sa-update --nogpg