Re: Russian spam

[Francis Russell]

Benny Pedersen wrote:

Unfortunately, these two are because I receive mail via BT/Yahoo who
never do a PTR lookup on the IP.

>  3.3 TVD_RCVD_IP4   TVD_RCVD_IP4
>  1.6 TVD_RCVD_IPTVD_RCVD_IP

Oddly, I cant get this one to fire on my SA install.

>  2.0 FROM_EXCESS_BASE64 From: base64 encoded unnecessarily

Francis

Re: Russian spam

[Ned Slider]

Michael Hutchinson wrote:

Hello,

Be careful with the character-set matching rules. I was using some of them and 
got a high rate of FP's - it was mainly because of the koi8-r charset, and 
scoring against that meant I was also scoring against perfectly legitimate 
technical resource newsletters that are in English.

Cheers,
Mike




Indeed Mike. I've noticed the occasional FP in English written mails 
from Russian companies such as the AV vendor Kaspersky. In general 
though I find they hit for spam than ham for me - YMMV.

Re: Russian spam

[Benny Pedersen]

On Thu, January 15, 2009 01:35, Francis Russell wrote:

> http://www.unchartedbackwaters.co.uk/files/russian_spam.txt

Content analysis details:   (12.6 points, 5.0 required)

 pts rule name  description
 --
-
 1.5 URICOUNTRY_RU  Contains a URI hosted in RU
 3.3 TVD_RCVD_IP4   TVD_RCVD_IP4
 1.6 TVD_RCVD_IPTVD_RCVD_IP
 2.9 RCVD_IN_XBLRBL: Received via a relay in Spamhaus XBL
[84.16.105.146 listed in zen.spamhaus.org]
 2.0 FROM_EXCESS_BASE64 From: base64 encoded unnecessarily
 1.3 SAGREY Adds score to spam from first-time senders

-- 
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

RE: Russian spam

[Michael Hutchinson]

Hello,

Be careful with the character-set matching rules. I was using some of them and 
got a high rate of FP's - it was mainly because of the koi8-r charset, and 
scoring against that meant I was also scoring against perfectly legitimate 
technical resource newsletters that are in English.

Cheers,
Mike


-Original Message-
From: Ned Slider [mailto:n...@unixmail.co.uk] 
Sent: Thursday, 15 January 2009 2:04 p.m.
To: users@spamassassin.apache.org
Subject: Re: Russian spam

Francis Russell wrote:
> Anyone know of any good rule-sets to block this sort of spam?
> 
> http://www.unchartedbackwaters.co.uk/files/russian_spam.txt
> 
> I find that Pyzor and Razor completely miss it as well as the DNS
> blacklists (although I believe this one has a relay in one of the
> Spamhaus ones now). I'm aware of the language whitelisting feature but
> presumably there is a better way then just assuming everything in
> language x is spam?
> 
> Francis
> 

If you want something that's language specific, checking for koi8-r can 
be quite effective, but if you do receive legitimate Russian mail then 
it may lead to FPs. Anyway, here's a rule to check the subject that 
would hit your example:

header  LOCAL_CHARSET_SUBJECT   Subject:raw =~ 
/\=\?(koi8-r|windows-1251|iso-2022-jp|gb2312)\?/i

There's a few other foreign character sets  thrown in there that I also 
reject - edit to suit your needs.

Looking at the rest of the mail, I have a few other custom rules that 
fire on your example:


header  LOCAL_THEBAT_MUAX-Mailer =~ /^The Bat!/

uri LOCAL_URI_RUm{https?://.{1,40}\.ru\b}
uri LOCAL_URI_CHAT_RU   m{https?://.{1,40}\.chat\.ru\b}

I score against The Bat MUA, and also against any [dot] ru domains, plus 
an additional (additive) score for [dot] chat [dot] ru  URIs. I have no 
legitimate use for these in emails (I also have a similar rule for 
Chinese domains that's very popular!)

So I have 4 or 5 custom rules that all score against your example and 
add a little to the score taking it well over the spam threshold.

Re: Russian spam

[Ned Slider]

Francis Russell wrote:

Anyone know of any good rule-sets to block this sort of spam?

http://www.unchartedbackwaters.co.uk/files/russian_spam.txt

I find that Pyzor and Razor completely miss it as well as the DNS
blacklists (although I believe this one has a relay in one of the
Spamhaus ones now). I'm aware of the language whitelisting feature but
presumably there is a better way then just assuming everything in
language x is spam?

Francis



If you want something that's language specific, checking for koi8-r can 
be quite effective, but if you do receive legitimate Russian mail then 
it may lead to FPs. Anyway, here's a rule to check the subject that 
would hit your example:


header		LOCAL_CHARSET_SUBJECT	Subject:raw =~ 
/\=\?(koi8-r|windows-1251|iso-2022-jp|gb2312)\?/i


There's a few other foreign character sets  thrown in there that I also 
reject - edit to suit your needs.


Looking at the rest of the mail, I have a few other custom rules that 
fire on your example:



header  LOCAL_THEBAT_MUAX-Mailer =~ /^The Bat!/

uri LOCAL_URI_RUm{https?://.{1,40}\.ru\b}
uri LOCAL_URI_CHAT_RU   m{https?://.{1,40}\.chat\.ru\b}

I score against The Bat MUA, and also against any [dot] ru domains, plus 
an additional (additive) score for [dot] chat [dot] ru  URIs. I have no 
legitimate use for these in emails (I also have a similar rule for 
Chinese domains that's very popular!)


So I have 4 or 5 custom rules that all score against your example and 
add a little to the score taking it well over the spam threshold.

RE: Russian spam

[Michael Hutchinson]

Hello,

You could write a Meta rule that contained two sub rules - one for matching 
"The Bat!" mailer, and the other matching the "chat.ru" link at the bottom. 
Fire a score if both rules hit. It may not be optimal, but it got rid of that 
Spam for me, and I haven't had a FP yet.

If you check out the meta that was posted on here not long ago to do with the 
"Spaces Live" Spam, that has a very similar concept, involving The Bat mailer 
and Spaces Live links at the bottom of the Spam.

Cheers,
Mike


-Original Message-
From: Francis Russell [mailto:francis+saus...@unchartedbackwaters.co.uk] 
Sent: Thursday, 15 January 2009 1:35 p.m.
To: users@spamassassin.apache.org
Subject: Russian spam

Anyone know of any good rule-sets to block this sort of spam?

http://www.unchartedbackwaters.co.uk/files/russian_spam.txt

I find that Pyzor and Razor completely miss it as well as the DNS
blacklists (although I believe this one has a relay in one of the
Spamhaus ones now). I'm aware of the language whitelisting feature but
presumably there is a better way then just assuming everything in
language x is spam?

Francis

Russian spam

[Francis Russell]

Anyone know of any good rule-sets to block this sort of spam?

http://www.unchartedbackwaters.co.uk/files/russian_spam.txt

I find that Pyzor and Razor completely miss it as well as the DNS
blacklists (although I believe this one has a relay in one of the
Spamhaus ones now). I'm aware of the language whitelisting feature but
presumably there is a better way then just assuming everything in
language x is spam?

Francis

Re: Temporary 'Replacements' for SaneSecurity

[SM]

At 12:44 14-01-2009, Rob McEwen wrote:

No. This is just due to the fact that, unfortunately, some mail servers
and IPs (which send desired and solicited messages) are somewhat
incorrectly configured. It turns out that a distributor receiving
legitimate business e-mail from vendors & customers in such places as
Africa, South America, Asia... all over the place... is going to see a
disproportionately larger amount of messages sent from IPs which either:


Choosing a tool requires an understanding of what the tool can do and 
the task to be performed with it.  We don't have to go as far as 
South America to to find incorrectly configured mail 
servers.  There's currently a user on this list running one that send 
bounces to the wrong address.



This has nothing to do with Rasmus's tools.. other than the fact that (I
surmise) he is probably now forced, given that situation, back off of
his scoring of DNSBls and rely more on content filtering in comparison
to those whose e-mail is mostly US/Europe-based.


If there is nothing wrong with Rasmus' tools, then the Botnet plugin 
should work for him.  Now, if you are saying that the Botnet plugin 
should only used for those who of you who only receive mail from the 
US or Europe, I'll point out that it also causes false positive for 
that kind of mail traffic.  As you mentioned above, the problem is 
not really with Botnet plugin if we understand that it does not detect botnets.


Regards,
-sm 

Re: Temporary 'Replacements' for SaneSecurity

[mouss]

Rob McEwen a écrit :
> SM wrote:
>> "Botnet Plugin" sounds like a plugin that detect botnets ...  If
>> Rasmus is finding that many false positives, then he's using the wrong
>> tools.
> 
> No. This is just due to the fact that, unfortunately, some mail servers
> and IPs (which send desired and solicited messages) are somewhat
> incorrectly configured.

Even with the "somewhat" qualifier, I wouldn't say "incorrectly". There
is nothing incorrect in vms173003pub.verizon.net. it's an unfortunate
choice in these botnet days, but it's as correct as it could be.



> It turns out that a distributor receiving
> legitimate business e-mail from vendors & customers in such places as
> Africa, South America, Asia... all over the place... is going to see a
> disproportionately larger amount of messages sent from IPs which either:
> 
> (a) would not do so well with BotNet's analysis
> ...OR...
> (b) which are mixed sources of ham/spam... but simply don't have a high
> enough volume of "ham" to stay off all the blacklists... particularly
> some blacklists.
> 
> This has nothing to do with Rasmus's tools.. other than the fact that (I
> surmise) he is probably now forced, given that situation, back off of
> his scoring of DNSBls and rely more on content filtering in comparison
> to those whose e-mail is mostly US/Europe-based.
> 

Re: Temporary 'Replacements' for SaneSecurity

[John Rudd]

On Wed, Jan 14, 2009 at 13:06, Dave Pooser  wrote:
>> None of my friends are on
>> services that are that poorly configured
>
> No friends on Verizon? Their @#$% mail servers are 70% of my FPs.

Heh.  Guess not :-)

utf8

[Bogun Dmitriy]

Hello.

Is there any way to make configuration option "normalize_charset"
working? As I understand it didn't work because of broken utf8 support.
But without it, there is no way to normal use of spamassassin for not
English messages.

I am not like rules like this.
#body   LR_SEMINAR  /[[:blank:][:punct:]](((с|c)(е|e)(м|m)(и|u)(н|n|
h)(а|a)(р|p))|((\xf1|\xd1|c)(\xe5|\xc5|e)(\xec|\xcc|m)(\xe8|\xc8|
u)(\xed|\xcd|n)(\xe0|\xc0|a)(\xf0|\xd0|p))|((\xd3|\xf3|c)(\xc5|\xe5|
e)(\xcd|\xed|m)(\xc9|\xe9|u)(\xce|\xee|n)(\xc1|\xe1|a)(\xd2|\xf2|
p))|((\xe1|\x91|c)(\xa5|\x85|e)(\xac|\x8c|m)(\xa8|\x88|u)(\xad|\x8d|
n)(\xa0|\x80|a)(\xe0|\x90|p))|((\xe1|\xc1|c)(\xd5|\xb5|e)(\xdc|\xbc|
m)(\xd8|\xb8|u)(\xdd|\xbd|n)(\xd0|\xb0|a)(\xe0|\xc0|
p)))[[:blank:][:punct:]]/i

PS:

# spamassassin --version
SpamAssassin version 3.2.5
  running on Perl version 5.8.8

OS: Gentoo linux.

Re: Temporary 'Replacements' for SaneSecurity

[Dave Pooser]

> None of my friends are on
> services that are that poorly configured

No friends on Verizon? Their @#$% mail servers are 70% of my FPs.
-- 
Dave Pooser
Cat-Herder-in-Chief, Pooserville.com
"...Life is not a journey to the grave with the intention of arriving
safely in one pretty and well-preserved piece, but to slide across the
finish line broadside, thoroughly used up, worn out, leaking oil, and
shouting GERONIMO!!!" -- Bill McKenna

Re: Temporary 'Replacements' for SaneSecurity

[Rob McEwen]

SM wrote:
> "Botnet Plugin" sounds like a plugin that detect botnets ...  If
> Rasmus is finding that many false positives, then he's using the wrong
> tools.

No. This is just due to the fact that, unfortunately, some mail servers
and IPs (which send desired and solicited messages) are somewhat
incorrectly configured. It turns out that a distributor receiving
legitimate business e-mail from vendors & customers in such places as
Africa, South America, Asia... all over the place... is going to see a
disproportionately larger amount of messages sent from IPs which either:

(a) would not do so well with BotNet's analysis
...OR...
(b) which are mixed sources of ham/spam... but simply don't have a high
enough volume of "ham" to stay off all the blacklists... particularly
some blacklists.

This has nothing to do with Rasmus's tools.. other than the fact that (I
surmise) he is probably now forced, given that situation, back off of
his scoring of DNSBls and rely more on content filtering in comparison
to those whose e-mail is mostly US/Europe-based.

-- 
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032

Re: Temporary 'Replacements' for SaneSecurity

[SM]

At 06:59 14-01-2009, Rob McEwen wrote:

Because Rasmus manages a mail server where B2B mail is routinely
sent/received _globally_, Rasmus is the king of finding FPs. I could be
wrong, but judging from previous reports about the Botnet Plugin, I
predict that Rasmus will either (a) find the Botnet Plugin utterly
unusable due to FPs, or (b) only be able to score it by a point or two
due to excessive FPs. (Rasmus--by all means--please don't take my word
for it--try it out and then let us know what happened!)


"Botnet Plugin" sounds like a plugin that detect botnets ...  If 
Rasmus is finding that many false positives, then he's using the wrong tools.


At 08:37 14-01-2009, Matt Garretson wrote:

Is there any way that a more distributed method of delivering
updates could be more resistant to DDOS attacks?  E.g.
trackerless bittorrents (DHT), or something along those lines?


Isn't that technology certified for illegal content only? :-)

Sanesecurity could have been better protected against DDOS 
attacks.  They are a ripe target.


Regards,
-sm 

Re: Temporary 'Replacements' for SaneSecurity

[John Rudd]

> -- Forwarded message --
> From: "Bret Miller" 
> To: "John Rudd" 
> Date: Tue, 21 Aug 2007 13:08:06 -0700
> Subject: RE: BOTNET Exceptions for Today
>> Bret Miller wrote:

> Maybe these aren't false positives because botnet is identifying them for
> what they are-- badly configured. But to give a rule like botnet a default
> score that's high enough to consider the messages spam all on its own causes
> users to think we have a bad spam filtering program.
>
> When I see on the list that many people run botnet with ZERO false
> positives, I have to ask myself, "how? And why is our setup here so
> different?" Perhaps they already block email with invalid rdns at the MTA
> level, so none of this ever gets looked at. Perhaps their users just give up
> when they don't get email that they expect and use a free email account
> instead for that email. I don't know, but botnet hits a significant amount
> of legitimate email here, regardless of how badly configured the sending
> servers are.
>
> I just don't have the option of telling our president's assistant that "we
> can't accept email from your husband because the IT department at the City
> of Pasadena won't fix their DNS issues for their email server." That's just
> not acceptable in a corporate environment, even if she had a clue what the
> statement meant besides that I was refusing to do what she wants. The
> majority of these badly configured servers won't ever get fixed unless
> someone that matters to them stands up and tells them they need to fix it. I
> do that when I can, but most of the time I just don't matter enough to get
> it done.

That's why you can exempt some senders.  You don't have to force the
City of Pasadena to fix their mail servers.  You can simply find out
what their mail servers are, through various means, and give them some
form of exemption/whitelisting.  I did that for our chancellors wife,
for example :-)  I've also done it for a few of our vendors where it
couldn't be fixed (the funniest example being where the marketing guy
had been complaining to IT about it long before I even wrote Botnet,
and the IT guys just refused to fix it... funny because the marketing
guy was more cluful about best practices than the person whose job it
was to actually pay attention to those best practices).

That's at work.  We get vanishingly few FP's at work (millions of
messages per week, less than 100 tickets about it in 3-4 years (I
think less than 30 tickets about it)).

At home, I'm just a bastard about it.  None of my friends are on
services that are that poorly configured (so no need to whitelist
anyone that I _would_ given a whitelist entry to).  I'm not interested
in anyone else's half baked excuses about why they haven't fixed it
before, nor why they wont fix it in the future, so that group wouldn't
get a whitelist entry even if they asked for it.

Re: Spamd skipping tests

[jberliner]

Kai Schaetzl wrote:
> 
> Jberliner wrote on Tue, 13 Jan 2009 17:16:20 -0800 (PST):
> 
>> spamassassin -D --lint
> 
> did you check if the same happens when you run those messages thru 
> "spamassassin -D" and thru spamc?
> 
> 

Yes, I had already sent the message(s) to spamassassin -D and got the same
results. 

I did not try passing them to spamc, though when I do now, it seems to
replicate the problem. 

#spamc -c < untagged-spam-msg
0.0/4.3

#spamc -r < untagged-spam-msg
(no output)

# spamc -y < untagged-spam-msg
(no output)

Note that when I pass hams to spamc, they seem to always trigger the rules. 

A couple of things about the non-tagged messages: they usually feature a
spoofed sender address identical to the recipient, but not always: so, e.g.
From:  To: m...@mydomain.com. And, in looking at the message
headers, a few things are consistently different about the bad messages. I
don't know if this is because SA or qmail-scanner rewrite the headers or
what...

- they are missing a "Date:" header
- The order of the last few header lines is somewhat different  
- and of course X-Spam-Report always returns the symbol _SUMMARY_ instead of
any tests processed. 
- the number of SA hits is always reported as 0.0, which should be a very
rare occurrence given the custom rules I've added to help troubleshoot.

Thanks for any further insights or suggestions. 

-- 
View this message in context: 
http://www.nabble.com/Spamd-skipping-tests-tp21448225p21463477.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Temporary 'Replacements' for SaneSecurity

[Paul Griffith]

On Wed, 14 Jan 2009 09:23:51 -0500, John Rudd  wrote:


How's it working for you, so far?


On Wed, Jan 14, 2009 at 06:12, Paul Griffith  wrote:

On Tue, 13 Jan 2009 05:28:42 -0500, si  wrote:


Guys,

I'm sure you're as sad as I am re- temporary suspension of the  
brilliant
services offered by Steve Basford and is helpers at Sane Security. In  
a sick
kind of way, the 'bad guys' are acknowledging the work these guys have  
done

by DOSing them, but that doesn't help much with the daily grind.

I appreciate that great progress is being mad re- getting the service  
back

online again, but in the mean time was wondering ... has anyone found
anything as effective as a temporary replacement or enhancement?

Thanks

Mup.



After a loud outcry from our users from the increasing level of spam in
their inboxes, I installed the Botnet Plugin.

Thanks
Paul



I have seen one FP, but the spam level has gone down. We have been running  
the Botnet plugin for less than 24 hours.


Thanks
Paul

BTW: I eagerly await the return of Sane Security.

Re: Temporary 'Replacements' for SaneSecurity

[Benny Pedersen]

On Wed, January 14, 2009 17:33, John Hardin wrote:

> Is there any other distributed content distribution system they
> could use for free this way?

bittorrent ?

(micro$oft have problem delivering windows 7 betas from there
network, opensource problems ?) :=)

-- 
Benny Pedersen
Need more webspace ? http://www.servage.net/?coupon=cust37098

Re: more habeas spam

[Greg Troxel]

Neil Schwartzman  writes:

> As to the complaint submission issues noted here are concerned, the best
> point of contact moving forward for SA users would be
> sa-ab...@senderscorecertified.com (please don¹t use my personal address as I
> travel frequently, and our Standards team see stuff sent to this alias in
> our ticketing queue). Please be sure to make note of the issue being
> Safelist or Sender Score Certified, preferably in the subject line.

If your company is serious about addressing complaints, then please make
it easier.  Specifically:

  On the home page for returnpath (which www.habeas.com redirects to)
  add an obvious link explaining how to submit spam complaints by email.
  The current top of the page has "I'm a [bulk mailer|ESP|ISP]" and
  "someone who has been spammed by one of our customers" is notably
  missing.

  The "contact us" page is a sales form - with no useful contact
  information for victims of your certifications.

  Spam I got from someone you certified (ADRevolution LLC) listed
  http://www.habeas.com/report/ for reporting abuse, but that's a web
  form with no email address for forwarding the spam.  It is not
  reasonable to ask people to fill out a web form.

  I forwarded the ADRevolution spam to safel...@returnpath.net and
  complai...@habeas.com on December 6 and still have heard nothing.  I
  notice that the accreditation level has been dropped from COI to SOI
  (where it remains today) but that's not good enough.

  The safelisted sender feedback page mentions "our rigorous SafeList
  standards", but there is no obvious link to those standards.


pgposkCBKhBhg.pgp
Description: PGP signature

Re: Spamd skipping tests

[Kai Schaetzl]

Jberliner wrote on Tue, 13 Jan 2009 17:16:20 -0800 (PST):

> spamassassin -D --lint

did you check if the same happens when you run those messages thru 
"spamassassin -D" and thru spamc?

Kai

-- 
Kai Schätzl, Berlin, Germany
Get your web at Conactive Internet Services: http://www.conactive.com

Re: Temporary 'Replacements' for SaneSecurity

[Matt Garretson]

Is there any way that a more distributed method of delivering
updates could be more resistant to DDOS attacks?  E.g.
trackerless bittorrents (DHT), or something along those lines?

Just wondering in general

Re: Temporary 'Replacements' for SaneSecurity

[John Hardin]

On Wed, 14 Jan 2009, Rob McEwen wrote:


QUESTIONS:

Is SaneSecurity still collecting data and generating the rulesets? (but
just not able to distribute them)


I was wondering that myself, and was also wondering whether there was a 
way to leverage the Coral cache system to avoid DDoS - for example, 
publish a coralified URI to retrieve the rulesets, and put a firewall rule 
on the core SaneSecurity webserver hosting the rulesets that only passes 
traffic from the Coral servers.


Is there any other distributed content distribution system they could use 
for free this way?


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
 An operating system design that requires a system reboot in order to
 install a document viewing utility does not earn my respect.
---
 3 days until Benjamin Franklin's 303rd Birthday

Re: Temporary 'Replacements' for SaneSecurity

[Sanesecurity]

si-12 wrote:
> 
> I appreciate that great progress is being mad re- getting the service back
> online again, but in the mean time was wondering ... has anyone found
> anything as effective as a temporary replacement or enhancement?
One rsync server is already up and running and is currently being tested,
with another being added soon, to test round-robin-dns setup.. just need a
little more time :)

As for ClamAV's freshclam... there were (from what I can remember) plans to
have Third-Party signatures, updated via freshclam and using their official
distribution mirrors.   Obviously, this would take time to setup.. and may
have issues for how Third-Party signatures are generated.

So, in the mean time... a few round-robin rsync mirrors, IPTable blocks on
IP who have download too much.. is the way it's looking short-term.

For those that haven't already... hop over to sanesecurity.co.uk and sign up
to the list... 

Cheers and thanks for all the positive comments,

Steve
Sanesecurity
-- 
View this message in context: 
http://www.nabble.com/Temporary-%27Replacements%27-for-SaneSecurity-tp21444618p21459579.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: more habeas spam

[Neil Schwartzman]

On 2009-01-06 22:19:39 GMT LuKreme  kreme.com> wrote:
 
> If you want the real history of Habeas in a nutshell, the company went
> to hell when Anne Mitchell left (the same Anne Mitchell who was part
> of MAPS back in the day).  She's now at the Institute for Spam and
> Internet Public Policy . What habeas
> became after she left was something quite different from what it had
> been under her stewardship.

Hi there.
 
I was there too! (Habeas employee #3).
 
Habeas is no more, we (Return Path) bought them last August.
http://www.returnpath.net/blog/2008/08/return-path-to-acquire-habeas.php
 
To address a couple of issues raised here ...
 
We have only just begun doing compliance work on Safelist. SA scoring is, of
course, your server, your SpamAssassin rules. I can't speak to what went on
in the past but it is a new day for Habeas clients. We will be applying
programme standards compliance in the same firm, even-handed manner as we do
Sender Score Certified.
 
If you are presently dissatisfied with the standardized scoring and have
re-weighted, please consider keeping an eye on our performance via the QA
tests Justin made note of, and your own views.
 
As to the complaint submission issues noted here are concerned, the best
point of contact moving forward for SA users would be
sa-ab...@senderscorecertified.com (please don¹t use my personal address as I
travel frequently, and our Standards team see stuff sent to this alias in
our ticketing queue). Please be sure to make note of the issue being
Safelist or Sender Score Certified, preferably in the subject line.
 
We acknowledge that there may be some suboptimal hotspots, and we welcome
any data points you can provide. I do want to let you know that given the
immense amount of work ahead of us, (we are working towards systems
integration which is an non-trivial task, along with getting up to speed on
existing clients and issues), responses and actions taken may require a
longer-turn around time than is our intended end-point.
 
What I can say is that we have a proven track-record (BondedSender -> Sender
Score Certified) and so your patience and help during this transition period
is much appreciated.

-- 
Neil Schwartzman
Director, Accreditation Standards & Security
Sender Score Certified | Sender Score Safelist
Return Path Inc.
0142002038

RE: Spamd skipping tests

[jberliner]

RobertH-2 wrote:
> 
> 
> basically it all depends on the qmail-scanner config and it can be semi
> complex and may not be correct in terms of if you reject over certain
> score
> or if you have other scanning functions happening before calling SA, like
> clamav etc etc
> 
> also, the message could be two big and bypassed, and that is controlled in
> more than one place if i remember right.
> 
> we disable clamav in qmail-scanner and use the clamav plugin, yet we also
> reject at or above a certain score in the smtp session too.
> 
> we do not use the newest qmail-scanner either, and the one we use is the
> special patched one, ummm 1.25-st or something like that
> 

Well, the thing is that this is happening at a lower level than
qmail-scanner--specifically, spamd. QMail-scanner takes the SpamAssassin
score and then decides what to do with it. But the spamd logs show how
certain messages are just skipped from evaluation altogether (as if there
were no rules in SA at all) and given a clean score. They are not deleted or
rejected; and that logic comes later, from Q-S anyway.

With debugging on, spamd also reports a fair number of "sysread() not ready"
messages, and lots of chatter about what's happening with child processes,
but I take it this is all fairly normal. And these appear before and after
messages are scanned, not during.
 
-- 
View this message in context: 
http://www.nabble.com/Spamd-skipping-tests-tp21448225p21458936.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Temporary 'Replacements' for SaneSecurity

[Rob McEwen]

Rob McEwen wrote:
> And I thing it is
> probably better used as a scoring list instead of a blocking list.
>   

oops. I meant "probably better scored below threshold", since, of
course, BotNet isn't a "list".

-- 
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032

Re: Temporary 'Replacements' for SaneSecurity

[Rob McEwen]

John Rudd wrote:
> Botnet isn't a DNSBL...
>   

I never said it was a DNSBL.

But it definitely has a particular focus on the sending IP, and that
sending IP's rDNS. Therefore, for all practical purposes, it is trying
to do the job of a DNSBL. As I recall, the discussion about BotNet's
development centered around blocking spam based on the sending IP...
where that IP didn't have time to get into the DNSBLs.

You might argue that a DNSBL could never replace the BotNet Plugin
because the BotNet Plugin will always catch at least some spam that
hasn't had time to get into a DNSBL. Fair argument--except that this
argument is greatly diminished if/when there are high-quality/low-FP
DNSBLs which are fast reacting/updating/distributing. Especially since
DNSBLs "scale" much better than the BotNet Plugin... and especially
if/when such DNSBLS have lower FPs than the BotNet Plugin.

I did a quick cursory search of discussions about BotNet Plugin FPs. See
attached for an example post I quickly grabbed after searching just a
few seconds.

NOTE: I'm NOT saying that the BotNet Plugin is bad or shouldn't be used.
I just don't see it as a SaneSecurity replacement. And I thing it is
probably better used as a scoring list instead of a blocking list.

-- 
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032


--- Begin Message ---
> Bret Miller wrote:
> 
> > Enews.webbuyersguide.com (part of Ziff-Davis Media), sent from IP
> > 204.92.135.90, resolves to smtp22.enews.webbuyersguide.com 
> #not sure why
> > this got a BOTNET=1 flag, but it did. Also find hosts 92, 
> 75, 70, 74, 93,
> > 86, and others. All similarly resolve to 
> smtpnn.enews.webbuyersguide.com. 
> 
> baddns.  baddns means lack of full circle DNS.  In this case, 
> the name 
> returned by the PTR record (smtp22.enews.webbuyersguide.com) does not 
> resolve at all ... let alone not resolving back to the 
> sending IP address.
> 
> 
> > meridiencancun.com.mx, sent from IP , resolves to
> > customer-148-233-9-212.uninet-ide.com.mx #more stupidity
> > 
> > Wordreference.com (WordReference Forums), sent from IP 75.126.51.99,
> > resolves to www2mail.wordreference.com, again no idea why 
> it gets flagged.
> 
> # nslookup www2mail.wordreference.com
> 
> Non-authoritative answer:
> Name:   www2mail.wordreference.com
> Address: 75.126.29.11
> 
> baddns.
> 
> 
> > AltoEdge Hardware, sent from IP 69.94.122.246, resolves to
> > server.nch.com.au, another no idea why BOTNET=1, but it 
> does. Just out of
> > curiosity, I ran this through again with debug enabled so I 
> could get more
> > details. Here's what it says:
> > 
> > [2472] dbg: Botnet: starting
> > [2472] dbg: Botnet: no trusted relays
> > [2472] dbg: Botnet: get_relay didn't find RDNS
> > [2472] dbg: Botnet: IP is '69.94.122.246'
> > [2472] dbg: Botnet: RDNS is 'server.nch.com.au'
> > [2472] dbg: Botnet: HELO is 'server.nch.com.au'
> > [2472] dbg: Botnet: sender 'adm...@server.nch.com.au'
> > [2472] dbg: Botnet: hit (baddns)
> > [2472] dbg: rules: ran eval rule BOTNET ==> got hit (1)
> > 
> > I'm not sure what it means. The IP resolves to 
> server.nch.com.au and it
> > resolves to the IP. Not sure what is "bad" about dns here. 
> I'm also not sure
> > what headers botnet looks at. The top Received header is 
> ours and the others
> > are all internal to the sender. 
> 
> # nslookup server.nch.com.au
> 
> Non-authoritative answer:
> Name:   server.nch.com.au
> Address: 69.94.122.247
> 
> So, server.nch.com.au's name does not resolve back to the sending IP 
> address, thus baddns.


OK... I guess I didn't check closely enough. But the point is still that
users expect these emails and complain if they don't receive them. Today's
list were mostly just top offenders, and it's going to take me time to make
exceptions for all the servers we receive email from that are badly
configured dns-wise.

Maybe these aren't false positives because botnet is identifying them for
what they are-- badly configured. But to give a rule like botnet a default
score that's high enough to consider the messages spam all on its own causes
users to think we have a bad spam filtering program.

When I see on the list that many people run botnet with ZERO false
positives, I have to ask myself, "how? And why is our setup here so
different?" Perhaps they already block email with invalid rdns at the MTA
level, so none of this ever gets looked at. Perhaps their users just give up
when they don't get email that they expect and use a free email account
instead for that email. I don't know, but botnet hits a significant amount
of legitimate email here, regardless of how badly configured the sending
servers are.

I just don't have the option of telling our president's assistant that "we
can't accept email from your husband because the IT department at the City
of Pasadena won't fix their DNS issues for their email server." That's just
not acceptable in a corporate environment, even if she had a clue what the
statement m

Re: Temporary 'Replacements' for SaneSecurity

[Daniel J McDonald]

On Wed, 2009-01-14 at 09:59 -0500, Rob McEwen wrote:
> Rasmus Haslund wrote:
> >> After a loud outcry from our users from the increasing level of spam in
> >> their inboxes, I installed the Botnet >Plugin.
> >> 
> > Is this something that can be used with the SA in Icewarp Merak?
> >   
> 
> Because Rasmus manages a mail server where B2B mail is routinely
> sent/received _globally_, Rasmus is the king of finding FPs. I could be
> wrong, but judging from previous reports about the Botnet Plugin, I
> predict that Rasmus will either (a) find the Botnet Plugin utterly
> unusable due to FPs, or (b) only be able to score it by a point or two
> due to excessive FPs. (Rasmus--by all means--please don't take my word
> for it--try it out and then let us know what happened!)

I too found botnet to be a great source of FP.  By combining it with p0f
it's moderately useful.

But sanesecurity would be more useful...  a pity we can't replicate the
incremental updates that the official clamav project uses.  I seem to
recall that they had problems scaling until they went to that process.



-- 
Dan McDonald, CCIE #2495, CISSP# 78281, CNX
www.austinenergy.com

Re: Temporary 'Replacements' for SaneSecurity

[John Rudd]

On Wed, Jan 14, 2009 at 06:59, Rob McEwen  wrote:

> Regarding using the Botnet Plugin as a replacement for SaneSecurity... I
> found that the _best_ part about SaneSecurity was its assistance with
> catching spam that could NOT ever be caught using _any_ kind of DNSBL.

Botnet isn't a DNSBL...

Re: Temporary 'Replacements' for SaneSecurity

[Rob McEwen]

Rasmus Haslund wrote:
>> After a loud outcry from our users from the increasing level of spam in
>> their inboxes, I installed the Botnet >Plugin.
>> 
> Is this something that can be used with the SA in Icewarp Merak?
>   

Because Rasmus manages a mail server where B2B mail is routinely
sent/received _globally_, Rasmus is the king of finding FPs. I could be
wrong, but judging from previous reports about the Botnet Plugin, I
predict that Rasmus will either (a) find the Botnet Plugin utterly
unusable due to FPs, or (b) only be able to score it by a point or two
due to excessive FPs. (Rasmus--by all means--please don't take my word
for it--try it out and then let us know what happened!)

Regarding using the Botnet Plugin as a replacement for SaneSecurity... I
found that the _best_ part about SaneSecurity was its assistance with
catching spam that could NOT ever be caught using _any_ kind of DNSBL.
For example, "419" scam spams sent from the large freemail providers
where the message cannot possibly be blocked because of being sent from
an IP that send large amounts of legit mail and because there is simply
no domain in the body of the message for surbl/uribl/ivmURI to grab
onto. THAT was the best part about SaneSecurity, imo.

Therefore, if someone is missing SaneSecurity, I'd suggest first making
sure they have Sought Rules installed and frequently updating--if not
already running.

QUESTIONS:

Is SaneSecurity still collecting data and generating the rulesets? (but
just not able to distribute them)

Is there any end in sight for the DDOS?

Has anyone tried to mitigate their DDOS? (There is a super-secret list
out there consisting of professionals who work for all the largest ISPs
and security vendors. They have ways to help mitigate these things. They
look for IPs conducting the DDOS, on each of their own networks, and
they simply shut those IPs down at the access point.)

-- 
Rob McEwen
http://dnsbl.invaluement.com/
r...@invaluement.com
+1 (478) 475-9032

Re: Temporary 'Replacements' for SaneSecurity

[si]

We're already using the BotNet plugin, and it really helps. One or two FPs from 
time-to-time, but nothing we can't live with. We turned score done in steps to 
3.0, in stages, and that seems to be just about right.
 
FYI - also use DCC, Razor, a relatively well trained bayes database and 
'standard' blacklists.
 
We front-end SA with smf-zombie and smf-greylist milters, and that actually 
catches most crud before it gets anywhere near SA.
 
Finally, we wrap everything up with MimeDefang, which deals with all the stuff 
SA, Clam, and the milters can't cope with.
 
We're still in pretty good shape, but we certainly notice that the Sane 
Security stuff isn't there any more.
 
Mup.

--- On Wed, 14/1/09, John Rudd  wrote:

From: John Rudd 
Subject: Re: Temporary 'Replacements' for SaneSecurity
To: "Paul Griffith" 
Cc: g_b...@yahoo.co.uk, users@spamassassin.apache.org
Date: Wednesday, 14 January, 2009, 2:23 PM

How's it working for you, so far?


On Wed, Jan 14, 2009 at 06:12, Paul Griffith  wrote:
> On Tue, 13 Jan 2009 05:28:42 -0500, si  wrote:
>
>> Guys,
>>
>> I'm sure you're as sad as I am re- temporary suspension of the
brilliant
>> services offered by Steve Basford and is helpers at Sane Security. In
a sick
>> kind of way, the 'bad guys' are acknowledging the work these
guys have done
>> by DOSing them, but that doesn't help much with the daily grind.
>>
>> I appreciate that great progress is being mad re- getting the service
back
>> online again, but in the mean time was wondering ... has anyone found
>> anything as effective as a temporary replacement or enhancement?
>>
>> Thanks
>>
>> Mup.
>>
>
> After a loud outcry from our users from the increasing level of spam in
> their inboxes, I installed the Botnet Plugin.
>
> Thanks
> Paul
>



  

Re: Temporary 'Replacements' for SaneSecurity

[John Rudd]

How's it working for you, so far?


On Wed, Jan 14, 2009 at 06:12, Paul Griffith  wrote:
> On Tue, 13 Jan 2009 05:28:42 -0500, si  wrote:
>
>> Guys,
>>
>> I'm sure you're as sad as I am re- temporary suspension of the brilliant
>> services offered by Steve Basford and is helpers at Sane Security. In a sick
>> kind of way, the 'bad guys' are acknowledging the work these guys have done
>> by DOSing them, but that doesn't help much with the daily grind.
>>
>> I appreciate that great progress is being mad re- getting the service back
>> online again, but in the mean time was wondering ... has anyone found
>> anything as effective as a temporary replacement or enhancement?
>>
>> Thanks
>>
>> Mup.
>>
>
> After a loud outcry from our users from the increasing level of spam in
> their inboxes, I installed the Botnet Plugin.
>
> Thanks
> Paul
>

RE: Temporary 'Replacements' for SaneSecurity

[Rasmus Haslund]

>After a loud outcry from our users from the increasing level of spam in
their inboxes, I installed the Botnet >Plugin.

Is this something that can be used with the SA in Icewarp Merak?

NOWACO A/S
Rasmus Haslund

Re: Temporary 'Replacements' for SaneSecurity

[Paul Griffith]

On Tue, 13 Jan 2009 05:28:42 -0500, si  wrote:


Guys,
 
I'm sure you're as sad as I am re- temporary suspension of the brilliant  
services offered by Steve Basford and is helpers at Sane Security. In a  
sick kind of way, the 'bad guys' are acknowledging the work these guys  
have done by DOSing them, but that doesn't help much with the daily  
grind.

 
I appreciate that great progress is being mad re- getting the service  
back online again, but in the mean time was wondering ... has anyone  
found anything as effective as a temporary replacement or enhancement?

 
Thanks
 
Mup.



After a loud outcry from our users from the increasing level of spam in  
their inboxes, I installed the Botnet Plugin.


Thanks
Paul