Re: Problem with faked return-path or something like that...!
Prempting some responses: What about external remote workers? What about those who email stuff to themselves? I hear this kind of thing all the time when people moan about spoofing. On Wed, 2008-12-10 at 12:19 -0500, Kevin Parris wrote: > You do not have a SpamAssassin problem, you have a Communigate problem. > Present this issue to your support resources for that product. > > The basics of what you want to do are something like this: > > When a message is arriving from the internet, and has your own domain in the > Return-path, it should be REJECTED immediately. The detection of this > condition, and the Rejecting of the message, should occur entirely within > Communigate so that the item does not survive long enough to be presented to > SA for analysis. > > > > > On Tue, December 9, 2008 23:37, hofmae wrote: > >> We are using Communigate Pro with Spamassasin, now we have a problem > >> with specific spammail and don't know how to solve it. > > >> The spammer sends us spam e-mails which includes as "return-path" > >> one of our mail-adressess. > > >
Re: sought rules updates
LuKreme wrote: > I read the man page, where there is no mention of how to obtain this > number. In fact, I read many posts, and many webpages and have still not > found that information. I've seen the IDs in others posts, sure, but > where do they originate? > > Even searching the wiki (which just links to the previously linked > http://taint.org/2007/08/15/004348a.html )is merely a "here's the > random-looking digits you pass to --gpgkey" and not a "here's what the > --gpgkey is, means, and how it's generated". These numbers are a way of identifying those keys. They are a cryptographically strong hash: the idea is that it’s easy for users to use numbers that short to confirm that the key they’ve received is the key they thought they were receiving, and very difficult for any attacker to generate another key with the same hash. > Why doesn't sa-learn simply trust the keys that are added to its > keychain without this extra (and at least for me, confusing) step? I'm > starting to think the simplest way to do this is just ignore the gpg > flags entirely and use --nogpg. What's the downside to this (other than > the obvious DNS hijacking to point the URL to some spammer site with bad > data which seems a remote enough chance to ignore). That’s your choice. Hope this helps, James. -- E-mail: james@ | “Right lads, we’ve got 45 minutes to score 37 goals. aprilcottage.co.uk | No problem with that -- the other team just did.”
Re: sought rules updates
On 10-Dec-2008, at 22:18, SM wrote: At 20:39 10-12-2008, LuKreme wrote: And the source of that number is, evidently, a complete mystery. That's my point. I've seen lots of instructions like this: # wget http://somesite.tld/somepath/GPG.KEY # sudo sa-update --import GPG.KEY # sudo sa-update --gpgkey 0E28B3DC --channel uber.rule.somesite.tld where the '0E28B3DC' has just magically appeared as if created from the ether. Once you have imported the key, you can use gpg --list-keys to find the key ID. AHA! That's the crucial step I was missing and no one seemed able to provide. Thank You! There's progress at least: I ssh to the server and then I sudo su (so I am sure I have discarded my own login environment, I do not normally do this) mail# gpg --list-keys /etc/mail/spamassassin/sa-update-keys/pubring.gpg gpg: error reading key: No public key At least on my FreeBSD, there's no man page for gpg, and the --help doesn't point out anything obvious. if I run it without specifying a file, I get this: mail# gpg -k /root/.gnupg/pubring.gpg pub 1024D/11F63C51 2002-02-28 uid Jamie Cameron <[EMAIL PROTECTED]> sub 1024g/1B24BE83 2002-02-28 By adding the key to the keychain, you are trusting it. The security part is that you can verify whether the signer generated the updates. Even if the host is compromised, you are "safe" as long as the private key is secure and the signer still has your trust. Riiight, but the public key I put in the keychain does all that, no? I'm still unclear on how the --gpgkey makes it more secure. If the file is signed, the signature is checked against the public key that I have in pubring.gpg. What does the gpgkey do? -- I want a party where all the women wear new dresses and all the men drink beer. -- Jason Gaes
Re: google groups abuse for spam
On Wed, 2008-12-10 at 13:09 +, Ned Slider wrote: > ram wrote: > > I got a spam with just a link to a google groups page > > > > https://ecm.netcore.co.in/tmp/spam_google.txt > > > > > > Now I am scoring all mails with links to groups.google but > > (may not be a gr8 idea though ) > > > > Bayes training may help :) > > Google's Notebook is currently being abused too. See here: > > http://www.marshal.com/trace/traceitem.asp?article=835 Google should have better interfaces to report abuse that is the minimum they could do I Tried reporting a google group ... there is no specific page that google has for this
Re: sought rules updates
At 20:39 10-12-2008, LuKreme wrote: And the source of that number is, evidently, a complete mystery. That's my point. I've seen lots of instructions like this: # wget http://somesite.tld/somepath/GPG.KEY # sudo sa-update --import GPG.KEY # sudo sa-update --gpgkey 0E28B3DC --channel uber.rule.somesite.tld where the '0E28B3DC' has just magically appeared as if created from the ether. Once you have imported the key, you can use gpg --list-keys to find the key ID. Do you see that there is a crucial step missing there? Where did that Yes. gpgkey value come from? If it wasn't provided in these instructions (like say you were looking for a ruleset at foo.bar.tld/GPG.KEY but hadn't yet discovered the page that had the magic hex code), how do you find it? Can you generate it. Is is simply a hash of the gpg keyfile, or something else? The key ID is the low order 64 bits of the fingerprint. It's a bit of "hey, now just fill in this number we hopefully have given you. Don't worry about what it means, or how it works, or where it came from. Just copy&paste and you'll be fine." Strangely enough, that does not fill me with the highest degree of confidence. Not much more so that --nogpg. That's not the right way to do it if we are concerned about trust relationships. As you said, unless you have confidence in what is published on the webpage, it's like running sa-update with the --nogpg parameter. gpgkey. I've added the key to the keychain as a trusted key, that is enough to make it secure. How is this 8 digit hex code making anything any more secure? By adding the key to the keychain, you are trusting it. The security part is that you can verify whether the signer generated the updates. Even if the host is compromised, you are "safe" as long as the private key is secure and the signer still has your trust. Regards, -sm
Re: sought rules updates
On 10-Dec-2008, at 20:36, SM wrote: At 13:51 10-12-2008, LuKreme wrote: I read the man page, where there is no mention of how to obtain this number. In fact, I read many posts, and many webpages and have still not found that information. I've seen the IDs in others posts, sure, but where do they originate? sa-update uses GPG (GNU Privacy Guard) to verify the authenticity of the updates. The Sought rules webpage mentions how to download the GPG key. If you want to understand how GPG works or how to use GPG keys, you should read the GPG documentation. Yes, downloading the key is not the issue. Even searching the wiki (which just links to the previously linked http://taint.org/2007/08/15/004348a.html )is merely a "here's the random-looking digits you pass to -- gpgkey" and not a "here's what the --gpgkey is, means, and how it's generated". The gpgkey parameter for sa-update specifies which GPG key ID should be trusted to sign the updates. You can use the gpg command to find out what the key ID is. That's not a random number; I said 'random looking' it's a hexadecimal number which identifies the key. And the source of that number is, evidently, a complete mystery. That's my point. I've seen lots of instructions like this: # wget http://somesite.tld/somepath/GPG.KEY # sudo sa-update --import GPG.KEY # sudo sa-update --gpgkey 0E28B3DC --channel uber.rule.somesite.tld where the '0E28B3DC' has just magically appeared as if created from the ether. Do you see that there is a crucial step missing there? Where did that gpgkey value come from? If it wasn't provided in these instructions (like say you were looking for a ruleset at foo.bar.tld/GPG.KEY but hadn't yet discovered the page that had the magic hex code), how do you find it? Can you generate it. Is is simply a hash of the gpg keyfile, or something else? It's a bit of "hey, now just fill in this number we hopefully have given you. Don't worry about what it means, or how it works, or where it came from. Just copy&paste and you'll be fine." Strangely enough, that does not fill me with the highest degree of confidence. Not much more so that --nogpg. Because sa-update is designed to provide updates in a secure way. If you want the simplest way, you can ignore these steps and face the consequences when something goes wrong. Oddly enough, I am able to encrypt emails, sign emails, verify signed mails, login to ssh ports on remote servers and do a whole host of secure things without ever having encountered anything like this gpgkey. I've added the key to the keychain as a trusted key, that is enough to make it secure. How is this 8 digit hex code making anything any more secure? -- I know that you believe you understand what you think I said but I am not sure you realize that what you heard is not what I meant.
Re: Spam slipping through
On 10-Dec-2008, at 16:01, mouss wrote: while the whitelisting part is ok, the "blacklisting" part is risky: - they could mess up with their dns config during an update or they could add a new MTA, or reconfigure their MTA and "forget" to pass throgh the dkim signing application... - they may want to allow some of their users to post via their ISP, hotel, - ... so 5 is a little too high. Ah, gotcha. I am scoring whitelist at -5 though, so a 5 still puts them at 0. Without other spam tags, they should still pass, no? On 10-Dec-2008, at 16:52, Benny Pedersen wrote: On Wed, December 10, 2008 23:16, LuKreme wrote: Which would, I think, score them a full 5 points up for failing DKIM, but give them a negative score from USER_IN_DKIM_WHITELIST? try: def_whitelist_auth [EMAIL PROTECTED] whitelist_auth [EMAIL PROTECTED] why have the extra step with add score for not verified ? Because, let's say comapny.tld is mybank.tld and messages that fail to pass the check should be tagged up, right? -- Strange things are afoot at the Circle K
Re: sought rules updates
At 13:51 10-12-2008, LuKreme wrote: I read the man page, where there is no mention of how to obtain this number. In fact, I read many posts, and many webpages and have still not found that information. I've seen the IDs in others posts, sure, but where do they originate? sa-update uses GPG (GNU Privacy Guard) to verify the authenticity of the updates. The Sought rules webpage mentions how to download the GPG key. If you want to understand how GPG works or how to use GPG keys, you should read the GPG documentation. Even searching the wiki (which just links to the previously linked http://taint.org/2007/08/15/004348a.html )is merely a "here's the random-looking digits you pass to --gpgkey" and not a "here's what the --gpgkey is, means, and how it's generated". The gpgkey parameter for sa-update specifies which GPG key ID should be trusted to sign the updates. You can use the gpg command to find out what the key ID is. That's not a random number; it's a hexadecimal number which identifies the key. Why doesn't sa-learn simply trust the keys that are added to its keychain without this extra (and at least for me, confusing) step? I'm starting to think the simplest way to do this is just ignore the gpg flags entirely and use --nogpg. What's the downside to this (other than the obvious DNS hijacking to point the URL to some spammer site with bad data which seems a remote enough chance to ignore). Because sa-update is designed to provide updates in a secure way. If you want the simplest way, you can ignore these steps and face the consequences when something goes wrong. Regards, -sm
RE: sought rules updates
> > Right. I removed most if not all of the SARE rules on most > machines some months ago with no ill effects. > > Kai what ones did you keep? if you recall, any particular reason why? - rh
Re: Spam slipping through
On Wed, December 10, 2008 23:16, LuKreme wrote: > Which would, I think, score them a full 5 points up for failing > DKIM, but give them a negative score from USER_IN_DKIM_WHITELIST? try: def_whitelist_auth [EMAIL PROTECTED] whitelist_auth [EMAIL PROTECTED] why have the extra step with add score for not verified ? another way is: whitelist_auth [EMAIL PROTECTED] unwhitelist_auth [EMAIL PROTECTED] not tested here but should work in the config -- Benny Pedersen Need more webspace ? http://www.servage.net/?coupon=cust37098
Re: sought rules updates
[EMAIL PROTECTED]> Reply-To: users@spamassassin.apache.org LuKreme wrote on Wed, 10 Dec 2008 14:51:47 -0700: > I read the man page, where there is no mention of how to obtain this > number. In fact, I read many posts, and many webpages and have still > not found that information. I've seen the IDs in others posts, sure, > but where do they originate? I'm not an expert on this. You need something to identify a key. This is probably some hash derived from the key (by means of some gpg tool). Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: Spam slipping through
LuKreme a écrit : > On 10-Dec-2008, at 12:10, Kelson wrote: >> Successful sender verification ALONE doesn't tell you much, because it >> doesn't distinguish between a legit sender who uses DKIM and a spammer >> who uses DKIM (or a spammer abusing a large sender). This is why the >> default scores on DKIM_VERIFIED and DKIM_SIGNED are just enough to >> track the rule, and not enough to significantly affect the score > > Thank you (and you too, mouss) for the explanation, this does make a lot > of sense now. I guess I need to go through all my mail and find the > DKIM info for the good sites. > > Given that I get mail from company.tld and they used DKIM and I trust it > if it passes, and given that company.tld is a company where I am getting > mail from their employees and not from their clients (like not an ISP), > does this look about right: > > whitelist_from_dkim [EMAIL PROTECTED] > whitelist_from_dkim [EMAIL PROTECTED] > header __L_FROM_CTLD From:addr =~ /[EMAIL PROTECTED]/mi > meta L_NOTVALID_CTLD !DKIM_VERIFIED && __L_FROM_CTLD > scoreL_NOTVALID_CTLD 5 > > Which would, I think, score them a full 5 points up for failing DKIM, > but give them a negative score from USER_IN_DKIM_WHITELIST? while the whitelisting part is ok, the "blacklisting" part is risky: - they could mess up with their dns config during an update or they could add a new MTA, or reconfigure their MTA and "forget" to pass throgh the dkim signing application... - they may want to allow some of their users to post via their ISP, hotel, - ... so 5 is a little too high. I see yahoo mail failing verification (and yes, it is legit mail sent by a yahoo user via yahoo. no forgery or anything). That should tell you something ;-p > > And I assume that the dkim.cf that was in /etc/mail/spamassassin/ should > be in /var/db/spamassassin/3.002.005/ instead? > no. it's your file, so leave it in your "site rules directory" (/etc/ apparently). /var/{db|lib}/spamassassin/ is for automatic updates.
Re: sought rules updates
LuKreme a écrit : > On 10-Dec-2008, at 01:31, Kai Schaetzl wrote: >> Duane Hill wrote on Wed, 10 Dec 2008 06:53:39 + (UTC): >>> Do a search for 'sought' on the SA wiki page >> >> and read the documentation on sa-update before you ask again ;-) > > I read the man page, where there is no mention of how to obtain this > number. In fact, I read many posts, and many webpages and have still not > found that information. I've seen the IDs in others posts, sure, but > where do they originate? > > Even searching the wiki (which just links to the previously linked > http://taint.org/2007/08/15/004348a.html )is merely a "here's the > random-looking digits you pass to --gpgkey" and not a "here's what the > --gpgkey is, means, and how it's generated". > > Why doesn't sa-learn simply trust the keys that are added to its > keychain without this extra (and at least for me, confusing) step? I'm > starting to think the simplest way to do this is just ignore the gpg > flags entirely and use --nogpg. What's the downside to this (other than > the obvious DNS hijacking to point the URL to some spammer site with bad > data which seems a remote enough chance to ignore). > I use a script and a config file to do all this stuff: http://www.netoyen.net/sa/sa-update.sh.txt http://www.netoyen.net/sa/channel.conf so my cron has: /usr/local/bin/sa-update.sh > /dev/null (paths and the restart command (I use amavisd) must be adjusted). I have been thinking of modifying sa-update directly...
Re: Spam slipping through
On 10-Dec-2008, at 12:10, Kelson wrote: Successful sender verification ALONE doesn't tell you much, because it doesn't distinguish between a legit sender who uses DKIM and a spammer who uses DKIM (or a spammer abusing a large sender). This is why the default scores on DKIM_VERIFIED and DKIM_SIGNED are just enough to track the rule, and not enough to significantly affect the score Thank you (and you too, mouss) for the explanation, this does make a lot of sense now. I guess I need to go through all my mail and find the DKIM info for the good sites. Given that I get mail from company.tld and they used DKIM and I trust it if it passes, and given that company.tld is a company where I am getting mail from their employees and not from their clients (like not an ISP), does this look about right: whitelist_from_dkim [EMAIL PROTECTED] whitelist_from_dkim [EMAIL PROTECTED] header __L_FROM_CTLD From:addr =~ /[EMAIL PROTECTED]/mi meta L_NOTVALID_CTLD !DKIM_VERIFIED && __L_FROM_CTLD scoreL_NOTVALID_CTLD 5 Which would, I think, score them a full 5 points up for failing DKIM, but give them a negative score from USER_IN_DKIM_WHITELIST? And I assume that the dkim.cf that was in /etc/mail/spamassassin/ should be in /var/db/spamassassin/3.002.005/ instead? -- The trouble with being a god is that you've got no one to pray to.
Re: sought rules updates
On 10-Dec-2008, at 01:31, Kai Schaetzl wrote: Duane Hill wrote on Wed, 10 Dec 2008 06:53:39 + (UTC): Do a search for 'sought' on the SA wiki page and read the documentation on sa-update before you ask again ;-) I read the man page, where there is no mention of how to obtain this number. In fact, I read many posts, and many webpages and have still not found that information. I've seen the IDs in others posts, sure, but where do they originate? Even searching the wiki (which just links to the previously linked http://taint.org/2007/08/15/004348a.html )is merely a "here's the random-looking digits you pass to --gpgkey" and not a "here's what the --gpgkey is, means, and how it's generated". Why doesn't sa-learn simply trust the keys that are added to its keychain without this extra (and at least for me, confusing) step? I'm starting to think the simplest way to do this is just ignore the gpg flags entirely and use --nogpg. What's the downside to this (other than the obvious DNS hijacking to point the URL to some spammer site with bad data which seems a remote enough chance to ignore). -- Advance and attack! Attack and destroy! Destroy and rejoice!
Re: Spam slipping through
LuKreme a écrit : > On 8-Dec-2008, at 00:44, mouss wrote: >>> DKIM is not a blacklister, but a whitelist based on if sender really >>> use monster.com mta mail server or not :) >>> >> indeed. > > > Checking my SPAM folder it seems that a LOT of spam gets DKIM_VERIFIED > > I have tons that look, essentially, like this: > > DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; > s=main; d=etacbase07.com; > > b=eVw4gychbdyZ01HyEGfBa7zjoxxjaaqVy+vHu9UeYI7+aKC971+ySnccA4klNvcBOIkAbiSgWl4YWXCn5SrkEg==; > > > h=Received:Message-ID:Date:From:To:Subject:List-Unsubscribe:Mime-Version:Content-Type; > > Received: by 69.30.205.166 with SMTP id 4gki5ruu8m4116d > for <*munged*>; Tue, 09 Dec 2008 13:11:33 -0600 > Message-ID: <[EMAIL PROTECTED]> > Date: Tue, 09 Dec 2008 13:11:34 -0600 > From: "Goya Foods" <[EMAIL PROTECTED]> > To: "Subscriber" <*munged*> > > So it looks like the only usefulness of DKIM for spam checking is really > for the big mailers like gmail, paypal, ebay, etc? This message failed > the SA check with a score over 11, so I'm not complaining. > If someone says: I'm Joe. then I don't care if he lies or not, unless "being Joe" means something to me. so if I get mail from [EMAIL PROTECTED], dkim and dk signed, spf pass, great helo, nice looking IP, ... etc. I don't care of all this stuff. I check the content. If someone say: I'm your mother. then I'll ask to see his hand (sorry, I don't know the name of the story in english. if you can read french, check http://satamania-bar.bbflash.net/conte-et-raconte-f5/le-loup-la-chevre-et-les-7-biquets-t908.htm ) so yes, dkim is a whitelist mechanism that allows you to whitelist known "names" when they sign their mail with a verifiable signature. it doesn't mean you can trust any dkim-signed mail (because anybody can sign his mail) nor that non signed mail is bad (even yahoo sends unsigned mail) nor that a bad signature is bad (I've seen broken sigs from yahoo). > I have a dkim.cf that is pretty basic, I guess, but I've recently > tweaked the settings a bit: > > score DKIM_VERIFIED -1.3 > score DKIM_SIGNED1 > score USER_IN_DKIM_WHITELIST -10.0 > score USER_IN_DEF_DKIM_WL -3.3 > score ENV_AND_HDR_DKIM_MATCH -0.7 > score L_NOTVALID_GMAIL 3.0 > score L_NOTVALID_PAY 10 > > I'm still testing these settings. >
Re: sought rules updates
John Horne a écrit : > On Tue, 2008-12-09 at 22:54 -0700, LuKreme wrote: >> On 9-Dec-2008, at 17:09, John Horne wrote: >>> Try: >>> >>>sa-update --gpgkey 6C6191E3 --channel sought.rules.yerp.org >> Ok, that gives me no error (where did you find/get the 6C6191E3?). It >> sits for about 20-30 seconds and then I get a prompt back. But as far >> as I can tell, nothing has changed. There is no new .cf file in /etc/ >> mail/spamassassin (which is a link /etc/mail/spamassassin -> ../../usr/ >> local/etc/mail/spamassassin if that matters), for example. >> > Look in '/var/lib/spamassassin/3*' within there there should be a new > subdirectory and .cf file. > let's avoid a "linux domination fast, resistance is futile" move ;-p the directory is ${base}/spamassassin/${version}/ where: ${base} is /var/lib on linux, /var/db on BSD, and something else elsewhere. (who said C:\Progra~\ ?) and ${version} is a perl-style version id (i.e. padded with zeros). so it is 3.002005 for 3.2.5.
Re: Spam slipping through
LuKreme wrote: So it looks like the only usefulness of DKIM for spam checking is really for the big mailers like gmail, paypal, ebay, etc? A pass on DKIM (or any other sender verification system ) is useful for any mailer that you *recognize*, regardless of size. Trivial example: If you regularly do business with SmallCorp, and you know they sign their mail using DKIM, you can whitelist those messages that claim to be them and come through with a verified DKIM signature. Successful sender verification ALONE doesn't tell you much, because it doesn't distinguish between a legit sender who uses DKIM and a spammer who uses DKIM (or a spammer abusing a large sender). This is why the default scores on DKIM_VERIFIED and DKIM_SIGNED are just enough to track the rule, and not enough to significantly affect the score Combine it with a reputation system for those domains, even one as simple as a bunch of whitelist_from_dkim rules in your local.cf, and it becomes a powerful whitelisting & blacklisting tool. -- Kelson Vibber SpeedGate Communications
Re: Problem with faked return-path or something like that...!
You do not have a SpamAssassin problem, you have a Communigate problem. Present this issue to your support resources for that product. The basics of what you want to do are something like this: When a message is arriving from the internet, and has your own domain in the Return-path, it should be REJECTED immediately. The detection of this condition, and the Rejecting of the message, should occur entirely within Communigate so that the item does not survive long enough to be presented to SA for analysis. > On Tue, December 9, 2008 23:37, hofmae wrote: >> We are using Communigate Pro with Spamassasin, now we have a problem >> with specific spammail and don't know how to solve it. >> The spammer sends us spam e-mails which includes as "return-path" >> one of our mail-adressess.
RE: sought rules updates
[EMAIL PROTECTED] wrote: > Karsten =?ISO-8859-1?Q?Br=E4ckelmann?= writes: > > On Mon, 2008-12-08 at 20:00 -0600, Chris wrote: > > > Has anyone seen any updates to the sought rules lately? It seems > > > like it's been about 4 or 5 days now since I've seen any via > > > sa-update. > > > > I believe this is due to the recent SSL cert update for ASF svn. > > Changed without a heads up in advance... :( This broke automated > > processes. > > > > AFAIK Justin is aware of this, and hopefully will have fixed it > > soon. :) > > this should be fixed now, I think... > > --j. Working here. Thanks! -- Bowie
Re: Inconsistent RBL checks
On 08.12.08 19:09, James Grant wrote: > Hi all, I've run into a weird situation where spamassassin will (seemingly > randomly) only do certain RBL checks. [...] > I've done it with spamd in debug mode and there's never any warnings or > errors about it not doing certain checks, it seems to just leave them out. > > Any thoughts on why this might happen? did you play with rbl_timeout? -- Matus UHLAR - fantomas, [EMAIL PROTECTED] ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I intend to live forever - so far so good.
Re: google groups abuse for spam
ram wrote: I got a spam with just a link to a google groups page https://ecm.netcore.co.in/tmp/spam_google.txt Now I am scoring all mails with links to groups.google but (may not be a gr8 idea though ) Bayes training may help :) Google's Notebook is currently being abused too. See here: http://www.marshal.com/trace/traceitem.asp?article=835 If I add a custom rule I tend to score stuff like this quite low, as much as an informational rule to get a handle on how big the issue is at any given time.
Re: heads up: php5 security and emergency fix
this gets me 62 pages: php5 5.2.7 mq bug ram wrote: On Tue, 2008-12-09 at 07:38 -0500, Michael Scheidell wrote: Last week, a security bullet was released about security problems with php5 prior to version 5.2.7. Yesterday, a major regression testing problem was fixed in 5.2.7, with the removal of the 5.2.7 binaries, and the emergency release of 5.2.8. Any reference links , I tried to google. Didnt get any -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 > *| *SECNAP Network Security Corporation * Certified SNORT Integrator * King of Spam Filters, SC Magazine 2008 * Information Security Award 2008, Info Security Products Guide * CRN Magazine Top 40 Emerging Security Vendors _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _
Re: sought rules updates
Justin Mason wrote: Karsten =?ISO-8859-1?Q?Br=E4ckelmann?= writes: On Mon, 2008-12-08 at 20:00 -0600, Chris wrote: Has anyone seen any updates to the sought rules lately? It seems like it's been about 4 or 5 days now since I've seen any via sa-update. I believe this is due to the recent SSL cert update for ASF svn. Changed without a heads up in advance... :( This broke automated processes. AFAIK Justin is aware of this, and hopefully will have fixed it soon. :) this should be fixed now, I think... --j. Yes, working here now. Thank you Justin :)
Re: sought rules updates
Karsten =?ISO-8859-1?Q?Br=E4ckelmann?= writes: > On Mon, 2008-12-08 at 20:00 -0600, Chris wrote: > > Has anyone seen any updates to the sought rules lately? It seems like it's > > been about 4 or 5 days now since I've seen any via sa-update. > > I believe this is due to the recent SSL cert update for ASF svn. Changed > without a heads up in advance... :( This broke automated processes. > > AFAIK Justin is aware of this, and hopefully will have fixed it > soon. :) this should be fixed now, I think... --j.
Re: sought rules updates
On Tue, 2008-12-09 at 22:54 -0700, LuKreme wrote: > On 9-Dec-2008, at 17:09, John Horne wrote: > > Try: > > > >sa-update --gpgkey 6C6191E3 --channel sought.rules.yerp.org > > Ok, that gives me no error (where did you find/get the 6C6191E3?). It > sits for about 20-30 seconds and then I get a prompt back. But as far > as I can tell, nothing has changed. There is no new .cf file in /etc/ > mail/spamassassin (which is a link /etc/mail/spamassassin -> ../../usr/ > local/etc/mail/spamassassin if that matters), for example. > Look in '/var/lib/spamassassin/3*' within there there should be a new subdirectory and .cf file. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: [EMAIL PROTECTED] Fax: +44 (0)1752 587001
Re: heads up: php5 security and emergency fix
Ram wrote on Wed, 10 Dec 2008 14:48:23 +0530: > Any reference links , I tried to google. Didnt get any php.net Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: Problem with faked return-path or something like that...!
hofmae a écrit : > Hi, > > thanks a lot. > > but the didn't solve anything... > > We need the mailer daemon, we cannot just deactivate it. > > I think the main problem is that there is one of our adressess in the > return-path. Thats wrong i think, because the spammer sends a spammail with > one of our adressess in the return-path. The actualy spammail we don't get > to see... > > Would be great if someone has an idea for us... > Do not reject mail after one of your SMTP servers (or that of your MSP, ISP, ...) has accepted it. reject during the smtp transaction, when the smtp client is a "stranger". Otherwise, tag and (deliver|quarantine|discard|...). if you bounce spam, the bounce will go to innocent victims. This is called backscatter and you'll find a lot of infos about it. suffice it to say that it is considered abusive. note that if your bounce contains malware, phishing or nigerian scam text, then you are participating to a criminal activity. you may say it's not voluntary or plead ignorance. but now you know.
Re: Problem with faked return-path or something like that...!
Hi, thanks a lot. but the didn't solve anything... We need the mailer daemon, we cannot just deactivate it. I think the main problem is that there is one of our adressess in the return-path. Thats wrong i think, because the spammer sends a spammail with one of our adressess in the return-path. The actualy spammail we don't get to see... Would be great if someone has an idea for us... Benny Pedersen wrote: > > > On Tue, December 9, 2008 23:37, hofmae wrote: > >> i hope someone can help, i surfed the whole web with no answer... > > problem is not the fake return path, its problem is that you bounce > invalid recipient, and the spammers know that > >> We are using Communigate Pro with Spamassasin, now we have a problem >> with specific spammail and don't know how to solve it. > > using postfix here > >> The spammer sends us spam e-mails which includes as "return-path" >> one of our mail-adressess. > > yes > >> So we never get the spam mail, because Spamassasin deletes that >> message, but we gat the "Reject" Mail from our Mail-Server >> to the return-path adress which is as i said always one of our >> adressess in this spammails. > > what recipient did not exists ? > >> The sender of this Reject-Mail is of course our own mailerdaemon, wo >> we can't block that generally because we need it. > > if you really rejected the mail you did not have a problem > >> So the major problem is that the spammer is using faked return-path >> adresses, and i really don't know how we can fix that problem. > > http://www.google.dk/search?q=Communigate+Pro+with+Spamassasin&ie=utf-8&oe=utf-8&aq=t&rls=org.gentoo:da:official&client=firefox-a > > some links to more info > > -- > Benny Pedersen > Need more webspace ? http://www.servage.net/?coupon=cust37098 > > > -- View this message in context: http://www.nabble.com/Problem-with-faked-return-path-or-something-like-that...%21-tp20925209p20931921.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: sought rules updates
Kai Schaetzl a écrit : > LuKreme wrote on Tue, 9 Dec 2008 16:50:34 -0700: > >> Geez there's >> a lot of them... and they look like they are very old, with last >> updated dates in 2005-2006 and none newer than Aug 2007. > > Right. I removed most if not all of the SARE rules on most machines some > months ago with no ill effects. > The only one I use now is 90_2tld.cf.sare.sa-update.dostech.net
Re: heads up: php5 security and emergency fix
On Tue, 2008-12-09 at 07:38 -0500, Michael Scheidell wrote: > Last week, a security bullet was released about security problems with > php5 prior to version 5.2.7. > Yesterday, a major regression testing problem was fixed in 5.2.7, with > the removal of the 5.2.7 binaries, and the emergency release of 5.2.8. > Any reference links , I tried to google. Didnt get any
Re: sought rules updates
LuKreme wrote on Tue, 9 Dec 2008 16:50:34 -0700: > Geez there's > a lot of them... and they look like they are very old, with last > updated dates in 2005-2006 and none newer than Aug 2007. Right. I removed most if not all of the SARE rules on most machines some months ago with no ill effects. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: sought rules updates
Duane Hill wrote on Wed, 10 Dec 2008 06:53:39 + (UTC): > Do a search for 'sought' on the SA wiki page and read the documentation on sa-update before you ask again ;-) Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com
Re: 1000 times easier to just do sa-update --nogpg
LuKreme wrote on Tue, 9 Dec 2008 23:23:19 -0700: > Ok, where in those directions are you supposed to find the keyid? where the channel maintainer announces the channel and tells you how to use it. Kai -- Kai Schätzl, Berlin, Germany Get your web at Conactive Internet Services: http://www.conactive.com