Re: Flooded by a SPAM always containing the same picture
Martin Gregorie wrote: On Wed, 2009-05-06 at 02:08 +0100, Ned Slider wrote: I had one sneak through today which didn't hit any rules at all (it hits a few DNSBLs now but not when I received it). It contained an inline png: Content-Type: image/png Content-Transfer-Encoding: base64 Content-Disposition: inline here's the full message: http://pastebin.com/m608defa5 Any idea how to tackle these? I have the DSC png rule in place but obviously that doesn't apply to this example. Perhaps I need a rule for "Content-Type: image/png" too? This works for me: describe MG_NONAME Image with no filename mimeheader __MG_NON1 Content-Type =~ /image\/(png|gif)/i mimeheader __MG_NON2 Content-Type !~ /name\=/i meta MG_NONAME (__MG_NON1 && __MG_NON2) score MG_NONAME 1.5 If you want a more bullet-proof rule, don't overlook the two sex terms in the subject line: write a rule that fires on that sort of stuff in the subject and combine it with the two image rules in a meta that looks something like this: meta IMAGE_SPAM ( SEX_SUBJECT && ( MG_NONAME || FAKE_PHOTO )) where FAKE_PHOTO represents your DSCnnn.png detection rule. Martin Thanks everyone :) Here's what I have to test with so far using a combination of the suggestions: # image has no name mimeheader __LOCAL_IMAGE_NONAMEContent-Type !~ /name\=/ meta LOCAL_IMAGE_SPAM ((__HTML_IMG_ONLY || __DC_IMG_HTML_RATIO || __DC_IMG_TEXT_RATIO || __LOCAL_IMAGE_NONAME) && (__PNG_ATTACH_1 || __GIF_ATTACH_1)) which might be a little aggressive but should hopefully hit on most variants of these for the time being. This particular example hits on __DC_IMG_TEXT_RATIO, __LOCAL_IMAGE_NONAME and __PNG_ATTACH_1 triggering the meta rule.
RE: Flooded by a SPAM always containing the same picture
From: Ned Slider [mailto:n...@unixmail.co.uk] >McDonald, Dan wrote: >> From: Ned Slider [mailto:n...@unixmail.co.uk] >> >>> I had one sneak through today which didn't hit any rules at all (it hits >>> a few DNSBLs now but not when I received it). It contained an inline png: >> >> meta AE_PNG_ATTACH __PNG_ATTACH_1 && __BOTNET_CLIENT >> describe AE_PNG_ATTACH Attempt to catch image spam >> score AE_PNG_ATTACH 2 >I'm wondering if a meta of __HTML_IMG_ONLY && __PNG_ATTACH_1 might work. Nope. It's not an HTML body, so __HTML_IMG_ONLY doesn't hit. -- Dan McDonald CCIE #2495, CISSP #78281, CNX
Re: Flooded by a SPAM always containing the same picture
On Wed, 2009-05-06 at 02:08 +0100, Ned Slider wrote: > I had one sneak through today which didn't hit any rules at all (it hits > a few DNSBLs now but not when I received it). It contained an inline png: > > Content-Type: image/png > Content-Transfer-Encoding: base64 > Content-Disposition: inline > > here's the full message: > > http://pastebin.com/m608defa5 > > Any idea how to tackle these? I have the DSC png rule in place but > obviously that doesn't apply to this example. > > Perhaps I need a rule for "Content-Type: image/png" too? > This works for me: describe MG_NONAME Image with no filename mimeheader __MG_NON1 Content-Type =~ /image\/(png|gif)/i mimeheader __MG_NON2 Content-Type !~ /name\=/i meta MG_NONAME (__MG_NON1 && __MG_NON2) score MG_NONAME 1.5 If you want a more bullet-proof rule, don't overlook the two sex terms in the subject line: write a rule that fires on that sort of stuff in the subject and combine it with the two image rules in a meta that looks something like this: meta IMAGE_SPAM ( SEX_SUBJECT && ( MG_NONAME || FAKE_PHOTO )) where FAKE_PHOTO represents your DSCnnn.png detection rule. Martin
Re: Flooded by a SPAM always containing the same picture
McDonald, Dan wrote: From: Ned Slider [mailto:n...@unixmail.co.uk] I had one sneak through today which didn't hit any rules at all (it hits a few DNSBLs now but not when I received it). It contained an inline png: Any idea how to tackle these? I have the DSC png rule in place but obviously that doesn't apply to this example. Here's what I'm using. It does rely on the BOTNET plugin, but I only use BOTNET in meta rules anyway, so this is a perfect use for it. This rule caught about 700 of them yesterday. meta AE_PNG_ATTACH __PNG_ATTACH_1 && __BOTNET_CLIENT describe AE_PNG_ATTACH Attempt to catch image spam score AE_PNG_ATTACH 2 -- Dan McDonald, CCIE # 2495, CISSP # 78721, CNX Interesting - thanks. I'm wondering if a meta of __HTML_IMG_ONLY && __PNG_ATTACH_1 might work. I shall test :)
Re: Flooded by a SPAM always containing the same picture
Ned Slider wrote: > I had one sneak through today which didn't hit any rules at all (it hits > a few DNSBLs now but not when I received it). It contained an inline png: > > Content-Type: image/png > Content-Transfer-Encoding: base64 > Content-Disposition: inline > > here's the full message: > > http://pastebin.com/m608defa5 > > Any idea how to tackle these? I have the DSC png rule in place but > obviously that doesn't apply to this example. > > Perhaps I need a rule for "Content-Type: image/png" too? I know you said it hit a few DNSBLs since you got it, but just to double-check with some non-standard things that it tripped for me: Content analysis details: (10.0 points, 5.0 required) pts rule name description --- -- -- 1.0 RCVD_IN_BRBL_LASTEXT RBL: Received via a relay in Barracuda BRBL [77.27.247.28 listed in bb.barracudacentral.org] 1.7 RCVD_IN_JMF_BLRBL: Relay listed in JunkEmailFilter BLACK (bad) [77.27.247.28 listed in hostkarma.junkemailfilter.com] 1.8 RCVD_IN_PSBL RBL: Received via a relay in PSBL Spamikaze trap [77.27.247.28 listed in psbl.surriel.com] 0.4 BAYES_50 BODY: Bayesian spam probability is 40 to 60% [score: 0.4984] 0.1 HOSTEUROPE_IXHASH BODY: iXhash found @ hosteurope.ixhash.ne 0.1 GENERIC_IXHASHBODY: iXhash found @ generic.ixhash.net 0.9 RDNS_NONE Delivered to trusted network by a host with no rDNS 2.0 IXHASH_FOUND BODY: MD5 checksum matches known spam 2.0 KHOP_DNSBL_BUMP Hits a trusted non-overlapping DNSBL This uses iXhash with the following extra rule: ifplugin Mail::SpamAssassin::Plugin::iXhash # see http://ixhash.sourceforge.net meta IXHASH_FOUND ( GENERIC_IXHASH || NIXSPAM_IXHASH || CTYME_IXHASH || HOSTEUROPE_IXHASH ) describe IXHASH_FOUND BODY: MD5 checksum matches known spam score IXHASH_FOUND0 2 0 2 endif KHOP_DNSBL_BUMP is a rule that trusts certain DNSBLs if they aren't already totaling something high. RCVD_IN_BRBL_LASTEXT (which is in SA svn), RCVD_IN_JMF_BL, and RCVD_IN_PSBL are all great additions added with KHOP_DNSBL_BUMP in my khop-bl sa-update channel, with directions at http://khopesh.com/Anti-spam#sa-update_channels
Re: Flooded by a SPAM always containing the same picture
On 5-May-2009, at 19:08, Ned Slider wrote: Content-Type: image/png Content-Transfer-Encoding: base64 Content-Disposition: inline Interesting. I'd think a no-name image would be a pretty strong spam indicator. Didn't it hit the no text rules? I get: Content analysis details: (4.3 points, 3.5 required) pts rule name description -- -- 2.0 BAYES_80 BODY: Bayesian spam probability is 80 to 95% [score: 0.8936] 2.2 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/ ) 0.1 RDNS_NONE Delivered to trusted network by a host with no rDNS on my list account. -- Eyes the shady night has shut/Cannot see the record cut And silence sounds no worse than cheers/After earth has stopped the ears.
RE: Flooded by a SPAM always containing the same picture
From: Ned Slider [mailto:n...@unixmail.co.uk] >I had one sneak through today which didn't hit any rules at all (it hits >a few DNSBLs now but not when I received it). It contained an inline png: >Any idea how to tackle these? I have the DSC png rule in place but >obviously that doesn't apply to this example. Here's what I'm using. It does rely on the BOTNET plugin, but I only use BOTNET in meta rules anyway, so this is a perfect use for it. This rule caught about 700 of them yesterday. meta AE_PNG_ATTACH __PNG_ATTACH_1 && __BOTNET_CLIENT describe AE_PNG_ATTACH Attempt to catch image spam score AE_PNG_ATTACH 2 -- Dan McDonald, CCIE # 2495, CISSP # 78721, CNX
Re: Flooded by a SPAM always containing the same picture
Randy wrote: Charles Gregory wrote: Just a quick question: I'm noticing that these 'png' spams don't have a text section, or any message body text, and yet my SA does not trigger on any 'message does not contain text' rules? I've seen rules trigger when messages are a high percentage of image versus text, but why no hits when 100% image? - Charles These hit the EMPTY_MESSAGE rule for me. I had one sneak through today which didn't hit any rules at all (it hits a few DNSBLs now but not when I received it). It contained an inline png: Content-Type: image/png Content-Transfer-Encoding: base64 Content-Disposition: inline here's the full message: http://pastebin.com/m608defa5 Any idea how to tackle these? I have the DSC png rule in place but obviously that doesn't apply to this example. Perhaps I need a rule for "Content-Type: image/png" too?
Re: Spamassassin White_list problem
ermille1979 wrote: > Hi all, > > I have a problem with Spamassassin on my Qmail > Alex, Can you explain why you think senders from agipro.it would be whitelisted? The only whitelist option in the config you sent is commented out, so it would have no effect. Is the LOCAL_RCVD rule the one that should match? (ie: is domain.com really agipro.it?) Could you post the Received headers for a message? Are you sure that received header is added before SA sees it (ie: how have you tied into Qmail) The error messages would appear to be related to the rules for the SPF plugin are being parsed, but the plugin itself isn't loading properly. That's very odd. Do you have any other custom config files, or have you made any changes to the default ones? Also, > r...@mail/etc/mail/spamassassin rpm -qa|grep -i spamas > perl-Mail-SpamAssassin-3.0.2-1 > spamassassin-3.0.2-1 > spamassassin-tools-3.0.2-1 > > This is My file local.rc > > ### > # > # rewrite_header Subject *SPAM* > # report_safe 1 > # trusted_networks 212.17.35. > # lock_method flock > report_safe 1 > #required_hits 4 > required_score 3 > #rewrite_header Subject *SPAM* > > #whitelist_from *...@agipro.it > > use_bayes 1 > # bayes_path /home/spamd/.spamassassin/bayes > bayes_path /home/spamd/.spamassassin > > bayes_auto_learn 1 > > skip_rbl_checks 0 > use_razor2 1 > use_dcc 1 > use_pyzor 1 > > dns_available yes > > header LOCAL_RCVD Received =~ /.*\(\S+\.domain\.com\s+\[.*\]\)/ > describe LOCAL_RCVD Received from local machine > #score LOCAL_RCVD -50 > > ## Optional Score Increases > score DCC_CHECK 4.000 > score SPF_FAIL 10.000 > score SPF_HELO_FAIL 10.000 > #score RAZOR2_CHECK 2.500 > score RAZOR2_CHECK 4.500 > score BAYES_99 4.300 > #score BAYES_95 3.500 > score BAYES_95 4.200 > #score BAYES_80 3.000 > score BAYES_80 4.100 > > The mail ehite sender domain @agipro.it are tagged as Spam! > > I have this error on my maillog > > May 5 15:47:16 mail spamd[2329]: Failed to run USER_IN_DEF_SPF_WL > SpamAssassin test, skipping:__(Can't locate object method > "check_for_def_spf_whitelist_from" via package > "Mail::SpamAssassin::PerMsgStatus" at > /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2312, > line 40._) > May 5 15:47:16 mail spamd[2329]: Failed to run SPF_HELO_NEUTRAL > SpamAssassin test, skipping:__(Can't locate object method > "check_for_spf_helo_neutral" via package "Mail::SpamAssassin::PerMsgStatus" > at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line > 2312, line 40._) > May 5 15:47:16 mail spamd[2329]: Failed to run SPF_NEUTRAL SpamAssassin > test, skipping:__(Can't locate object method "check_for_spf_neutral" via > package "Mail::SpamAssassin::PerMsgStatus" at > /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2312, > line 40._) > May 5 15:47:16 mail spamd[2329]: Failed to run USER_IN_SPF_WHITELIST > SpamAssassin test, skipping:__(Can't locate object method > "check_for_spf_whitelist_from" via package > "Mail::SpamAssassin::PerMsgStatus" at > /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2312, > line 40._) > May 5 15:47:16 mail spamd[2326]: Failed to run USER_IN_DEF_SPF_WL > SpamAssassin test, skipping:__(Can't locate object method > "check_for_def_spf_whitelist_from" via package > "Mail::SpamAssassin::PerMsgStatus" at > /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2312, > line 40._) > May 5 15:47:16 mail spamd[2326]: Failed to run SPF_HELO_NEUTRAL > SpamAssassin test, skipping:__(Can't locate object method > "check_for_spf_helo_neutral" via package "Mail::SpamAssassin::PerMsgStatus" > at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line > 2312, line 40._) > May 5 15:47:16 mail spamd[2326]: Failed to run SPF_NEUTRAL SpamAssassin > test, skipping:__(Can't locate object method "check_for_spf_neutral" via > package "Mail::SpamAssassin::PerMsgStatus" at > /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2312, > line 40._) > May 5 15:47:16 mail spamd[2326]: Failed to run USER_IN_SPF_WHITELIST > SpamAssassin test, skipping:__(Can't locate object method > "check_for_spf_whitelist_from" via package > "Mail::SpamAssassin::PerMsgStatus" at > /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2312, > line 40._) > May 5 15:47:16 mail spamd[2328]: clean message (0.0/3.0) for qscand:513 in > 0.6 seconds, 1509 bytes. > > > Help me please?! > > Alex >
Re: Personal SPF
John Hardin wrote: On Tue, 5 May 2009, Jonas Eckerman wrote: I can't speak for others, but this is one reason why I haven't given my opinions about your proposed PSPF. +1. If this OT discussion is going to get discourteous, please take it somewhere more appropriate. +1 If it were to become courteous again, one of the IETF lists might be appropriate -- that's where the standard would be developed, after all. -- J.D. Falk Return Path Inc http://www.returnpath.net/
Re: Personal SPF
On Tue, 5 May 2009, Jonas Eckerman wrote: I can't speak for others, but this is one reason why I haven't given my opinions about your proposed PSPF. +1. If this OT discussion is going to get discourteous, please take it somewhere more appropriate. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Think Microsoft cares about your needs at all? "A company wanted to hold off on upgrading Microsoft Office for a year in order to do other projects. So Microsoft gave a 'free' copy of the new Office to the CEO -- a copy that of course generated errors for anyone else in the firm reading his documents. The CEO got tired of getting the 'please re-send in XX format' so he ordered other projects put on hold and the Office upgrade to be top priority."-- Cringely, 4/8/2004 --- 3 days until the 64th anniversary of VE day
Re: bayes training doesn't seem to have any affect
On Tue, May 5, 2009 at 5:40 PM, Micah Anderson wrote: >> Eh? Last journal sync atime is Jan 1 1970? >> Try running: sa-learn --sync > > Doesn't seem to change the 'last journal sync atime' from 0. [...] > I'm using a mysql DB and I've got the following set in my local.cf: SQL Bayes DBs don't have journals, so no last sync time is expected. fyi.
RE: Errors during installation spamassasssin
-Original Message- From: John Thompson [mailto:johndthomp...@gmail.com] Sent: dinsdag 5 mei 2009 22:25 To: users@spamassassin.apache.org Subject: Re: Errors during installation spamassasssin > > Is this a bug in sa-update or a bug of the portssytem of freebsd??? > > I saw the same problem on my FreeBSD system. I solved it by > de-installing p5-Mail-SPF and replacing it with p5-Mail-SPF-Query. > Seems to be working fine ever since. Don't use Mail::SPF::Query any more: it's obsoleted (more than 3 years old now). It was Meng's original Perl implementation. Julian Mehnle's Mail::SPF (at version v2.006, now) is its official replacement. - Mark
Re: Personal SPF
Charles Gregory wrote: Please, stop the PSPF discussions and go implement something that will work without changing the whole internet LOL! Please stop discussing ideas? To be fair, this is the SpamAssassin users list. The purpose if this list isn't the discussion about the validity of ideas about possible future extensions to SPF, DKIM or whatever except as to how those ideas might have a direct impact on the usage or development of SpamAssassin. I can't speak for others, but this is one reason why I haven't given my opinions about your proposed PSPF. Regards /Jonas -- Jonas Eckerman Fruktträdet & Förbundet Sveriges Dövblinda http://www.fsdb.org/ http://www.frukt.org/ http://whatever.frukt.org/
Re: bayes training doesn't seem to have any affect
Karsten Bräckelmann writes: >> This shows me that I have no idea what these magic things are :) Does >> this tell you anything useful? > >> 0.000 06798614 0 non-token data: nspam >> 0.000 0 19136753 0 non-token data: nham > > That's quite a lot of ham compared to the spam... Does that really > reflect your mail instream? I would suspect not, since we probably get more spam than non-spam. However, perhaps the spamassassin autolearning caused this? Perhaps the DB is so out of whack, I should just reset it from scratch and try it again. Its a lot of data to loose and I am not sure exactly the right way to do that... so I'd be somewhat reluctant to do so. Might be better if I could clean it out some. > 19 M hams learned and an SQL Bayes storage backend. Site wide. Do you > trust your users? Any chance some of them are training badly? At worst No, I don't trust my users. In fact because of that we moved from doing site-wide training to selected users who can demonstrate that they understand how to train. Perhaps these numbers are legacy from before we switched to this method. thanks, micah
Re: Personal SPF
Matus UHLAR - fantomas 5.5.'09, 8:55: > > Strictly speaking, getting them to use it consistently and properly will > > be MORE difficult, > more difficult than what? I parsed it as him stating that getting users to use his proposed PSPF will be more difficult than getting them to use athenticated SMTP to his servers. /Jonas
Re: bayes training doesn't seem to have any affect
Adam Katz writes: > Micah Anderson wrote: >>> Also, to see how experienced your Bayes knowledge is - use "$ sa-leanrn >>> --dump magic" >> >> This shows me that I have no idea what these magic things are :) Does >> this tell you anything useful? >> >> 0.000 0 3 0 non-token data: bayes db version >> 0.000 06798614 0 non-token data: nspam >> 0.000 0 19136753 0 non-token data: nham >> 0.000 0 1063157695 0 non-token data: ntokens >> 0.000 0 1241301616 0 non-token data: oldest atime >> 0.000 0 1241416889 0 non-token data: newest atime >> 0.000 0 0 0 non-token data: last journal sync >> atime >> 0.000 0 1241344830 0 non-token data: last expiry atime >> 0.000 0 43200 0 non-token data: last expire atime >> delta >> 0.000 0 496607 0 non-token data: last expire >> reduction count > > Eh? Last journal sync atime is Jan 1 1970? > Try running: sa-learn --sync Doesn't seem to change the 'last journal sync atime' from 0. > If that helps, put it in your nightly SpamAssassin cron job > (and/or revisit your custom teaching scripts). In fact, I've been running that from cron every night. I'm using a mysql DB and I've got the following set in my local.cf: # We want to expire via cronjob, rather than having one of our spamd # children do it. bayes_auto_expire 0 # no affect bayes_learn_to_journal 0 > A quick primer (since this doesn't really exist anywhere...): The > three zeroed columns are always zero. > > bayes db version is self-explanatory. > nspam is the number of spam messages on record. bayes needs >200. Should be fine: 6798649 > nham is the number of ham messages on record. bayes needs >200. Also should be fine: 19160960 > ntokens is the number of 'words' noted in the system. lots of tokens: 1065483803 > oldest atime is the oldest access time of the oldest token (I think). I've got 1241474416 which would be Mon May 4 15:00:16 PDT 2009 which is just yesterday... that doesn't seem right that this would be the oldest access time, especially for 1065483803 tokens! > the rest of the times should be self-explanatory. > last expire reduction count is the number of tokens removed from the > last expiration run (I think). Ok, that seems to be counting, so something is being expired: 0.000 0 840628 0 non-token data: last expire reduction count This is all very interesting info, I appreciate the explanation. However, my original question still stands. micah
RE: Personal SPF
-Original Message- From: Charles Gregory [mailto:cgreg...@hwcn.org] Sent: dinsdag 5 mei 2009 22:40 To: users@spamassassin.apache.org Subject: Re: Personal SPF > > Defining personalised SPF would cause much more work and troubles for > > users. Yes, apparently not for you. > > Everything is "more work". Question is, would it be WORTH it? > > > Many people responded this thread saying it's bad idea. > > To date, not counting the 'take my word for it' crowd, I've had one > concrete suggestion on how to do it 'better', which I am implmenting. Okay, enough with the righteous indignation already. Only several posts ago you had never even heard of SMTP AUTH, or how folks generally solve their roaming user problem by means of having them connect to 'submission' port 587. So, perhaps peeps could have been nicer about your ignorance; but the ignorance itself was squarely yours. Live with it. Way I see it, your idea was shot down, without much ado, not because of any alleged arrogance on 'our' end, but simply because folks like you are a dime a dozen, these days; whether it's on the marid/asrg/whatever list, there's always the bloke-du-jour who comes up with a 'brilliant' new, often elaborate, plan to do things differently. And usually, like in your case, they haven't done their homework first. A few simple google searching would have brought you to SMTP AUTH, port 587, STARTTLS, etc. Instead, thinking your idea was God's gift to earth, you decided to forego on finding out how people have been solving these issues for the last ten years. That arrogance was also yours. You just don't like being called on it. Wouldn't know about 'terrible' or anything, but your idea simply fails a variation of the Occam's razor test: it's unnecessarily complicated, hard to implement, harder to maintain, and non-centralized, whereas much simpler, more elegant, centralized solutions are at hand. Solutions you didn't even know about. That's where your quest should have started, and where this thread ought to end. - Mark
Re: Personal SPF
Footnote: Just had one of my users report the same problem on another list. So my suspicion that this is on *my* server seems well-founded... On Tue, 5 May 2009, Charles Gregory wrote: OT : Apologies if I miss any replies to my posts. But they are getting lost in a pile of repeats For some reason I am getting many multiple copies of all the posts from this mailing list. If the list admin is listening in, would he/she be kind enough to check SMTP logs for connections to 'barton.hwcn.org' (my mail server) and see if any errors are reported on the sending side of the connection? I suspect that some sort of time-out is occurring before my server acknowledges receipt, and so while my SMTP finishes delivering the message, your server is considering it a failed send, and trying again multiple times - Charles
Re: Personal SPF
OT : Apologies if I miss any replies to my posts. But they are getting lost in a pile of repeats For some reason I am getting many multiple copies of all the posts from this mailing list. If the list admin is listening in, would he/she be kind enough to check SMTP logs for connections to 'barton.hwcn.org' (my mail server) and see if any errors are reported on the sending side of the connection? I suspect that some sort of time-out is occurring before my server acknowledges receipt, and so while my SMTP finishes delivering the message, your server is considering it a failed send, and trying again multiple times - Charles
Re: Personal SPF
On Tue, 5 May 2009, LuKreme wrote: > For what it's worth I also think this personal SPF concept is a terrible > idea with zero chance of taking off. And I actually *like* normal SPF. Well, it would be nice if you offered some reasons *why* you feel this way. I did in the portion of the message you snipped. "If you have mail accounts for users who are not on your network then you have an obligation to allow those users access to your mailserver." No, that is not a reason why MY idea is 'terrible'. It is an argument in favor of an alternate idea. At best, you are arguing that my idea would be 'unnecessary', without truly addressing the technical issues I am seeking answers to. You might as well suggest that if we all started writing our mail on scraps of paper that we wouldn't need my idea either. But as long as the real world has people sending mail via multiple servers, it would be nice if we could figure out a clever way to authenticate their validity. - Charles
Re: Personal SPF
On Tue, 5 May 2009, Matus UHLAR - fantomas wrote: Defining personalised SPF would cause much more work and troubles for users. Yes, apparently not for you. Everything is "more work". Question is, would it be WORTH it? Many people responded this thread saying it's bad idea. To date, not counting the 'take my word for it' crowd, I've had one concrete suggestion on how to do it 'better', which I am implmenting. You repeated a few times that you have no problem being wrong but apparently you are not taking anyone's arguments but yours. Give or take the fact that I am now implementing SMTP auth I am still not hearing arguments, only opinions. As I have already said, configuration you prefer (each user sends mail through its ISP's mail server) Yo! Who the asterisks said I *prefer* it? I'm just saying its a fact of life we have to live with. I'm looking for the best solution that will work for a large world, not just me and my one setup. Yes, I repeat, your idea is sick, based on completely different approach much (most?) of the world currently uses. Sick. Now that's constructive. Is that a bandwidth measurement? LOL... - setting up PSPF for user connecting through different provider takes you away verification that the sender is really the user. Only you at your mailserver can validate the e-mail address. (grasp chest - feign heart-attack) Wow! An *argument*! Yeah, I thought of this one. Any mechanism that I can think of to easily automate setup would inherently introduce the possibility of forgery, defeating the whole point of the system You know, if you weren't so busy trying to hammer this down, you might see that I've had doubts about this idea from the beginning. That's why I threw it out here. - anyone connecting through such provider could fake the users' e-mail address withot you being able to block the mail This argument only extends by degree the current situation where someone could hack *my* server and send mail 'protected' by my SPF. The majority of spammers would still be blocked. I was the first one in this thread who brought up port 587. So why switch tactics now? If you are capable of rational argument, then keep it up. It's more productive than just yelping 'bad, bad, bad'. Well, the main problem is you don't have the PSPF and I doubt anyone will want it. Again, a nice opinion, but no real sense of *why*. Inertia is not a reason. I was at the idea all problems have been made clear to you Frankly, I've thought of more problems on my own than anyone has mentioned here. But it really irks me to shelve SAV. There *must* be some bandwidth-friendly way to achive *that* goal - Charles
Re: Errors during installation spamassasssin
Jack Raats wrote: I'm using the FreeBSD 7.2-RELESE. I've installed spamassassin using the ports. When running sa-update -D I get the following output (part of it) [97306] dbg: diag: module installed: Net::SMTP, version 2.31 [97306] dbg: diag: module installed: Mail::SPF, version v2.006 [97306] dbg: diag: module not installed: Mail::SPF::Query ('require' failed) [97306] dbg: diag: module installed: IP::Country::Fast, version 604.001 [97306] dbg: diag: module installed: Razor2::Client::Agent, version 2.84 [97306] dbg: diag: module installed: Net::Ident, version 1.20 When installing the module Mail::SPF::Query I'll get: zen# make install ===> Installing for p5-Mail-SPF-Query-1.999.1 ===> p5-Mail-SPF-Query-1.999.1 conflicts with installed package(s): p5-Mail-SPF-2.006 They install files into the same place. Please remove them first with pkg_delete(1). *** Error code 1 Stop in /usr/ports/mail/p5-Mail-SPF-Query. Is this a bug in sa-update or a bug of the portssytem of freebsd??? I saw the same problem on my FreeBSD system. I solved it by de-installing p5-Mail-SPF and replacing it with p5-Mail-SPF-Query. Seems to be working fine ever since. -- -John Thompson (j...@os2.dhs.org) Appleton WI USA
Re: Personal SPF
LuKreme wrote: For what it's worth I also think this personal SPF concept is a terrible idea with zero chance of taking off. And I actually *like* normal SPF. Well, it would be nice if you offered some reasons *why* you feel this way. I did in the portion of the message you snipped. "If you have mail accounts for users who are not on your network then you have an obligation to allow those users access to your mailserver." He was responding to me in that email, not you. I just didn't want to repeat what everyone else had already said. -- Mike Cardwell (https://secure.grepular.com/) (http://perlcv.com/)
Re: Personal SPF
On 5-May-2009, at 08:39, Charles Gregory wrote: On Tue, 5 May 2009, Mike Cardwell wrote: For what it's worth I also think this personal SPF concept is a terrible idea with zero chance of taking off. And I actually *like* normal SPF. Well, it would be nice if you offered some reasons *why* you feel this way. I did in the portion of the message you snipped. "If you have mail accounts for users who are not on your network then you have an obligation to allow those users access to your mailserver." -- Kickboxing. Sport of the future.
Re: Blocking email with a valid internal destination address from outside.
Sean Leinart a écrit : > I will check that as well. Thanks > Postfix is the MTA http://www.postfix.org/RESTRICTION_CLASS_README.html#internal followup on the postfix-users list. PS. Please do not top post. put your replies after the text you reply to. This is valid on the postfix-users lists as well.
Re: Error: "spamc: connection attempt to spamd aborted after 3 retries"
This has been said before, but there seems to still be some confusion. In short -- you seem to think you're using amavis, and have an amavis config file ... But instead you seem to be calling spamc/spamd, which is completely different and unrelated. If you want to use amavis, then stop using spamc/spamd, and make sure your MTA configuration uses amavis. Once you are sure you have amavis configured in the MTA, if you are still not getting the expected results, you will want to ask the amavis folks for support. If you want to use spamc/spamd instead, then stop trying to configure amavis and set SpamAssassin config files appropriately to do the markup that you want. On Tue, May 5, 2009 at 1:49 PM, Alejandro Cabrera Obed wrote: > Now the message are checked for spam with an assigned score, but it'doesn't > appear anymore the ***SPAM*** tag the Amavisd-new set up when a spam score > is greater than de defined threshold. I have to have this tag in order to > filter ths spam for each user. > > My amavis conf file have the following lines: > > > $inet_socket_port = 10024; # default listenting socket > $inet_socket_bind = '127.0.0.1'; # limit socket bind to loopback interface > @inet_acl = qw ( 10.1.1.2 127.0.0.1 ); # allow SMTP access from these IP's > $sa_spam_subject_tag = '***SPAM*** '; > $sa_tag_level_deflt = 4.0; # add spam info headers if at, or above that > level > $sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that level > $sa_kill_level_deflt = 5.0; # triggers spam evasive actions > $sa_dsn_cutoff_level = 10; > ... > > Why If I use socket for spamd the Amavisd-new does not put the ***SPAM*** > tag to the spam messages ???
Re: Errors during installation spamassasssin
Mail::SPF replaced Mail::SPF::Query. You should pick one or the other, though Mail::SPF is preferred. See the INSTALL doc. Also note, the module diag output is not a list of things that you need to install, it's just a list that can help when debugging. On Tue, May 5, 2009 at 4:58 AM, Jack Raats wrote: > I'm using the FreeBSD 7.2-RELESE. I've installed spamassassin using the > ports. > When running sa-update -D I get the following output (part of it) > > [97306] dbg: diag: module installed: Mail::SPF, version v2.006 > [97306] dbg: diag: module not installed: Mail::SPF::Query ('require' failed) > > When installing the module Mail::SPF::Query I'll get: > > ===> p5-Mail-SPF-Query-1.999.1 conflicts with installed package(s): > p5-Mail-SPF-2.006 > > Is this a bug in sa-update or a bug of the portssytem of freebsd???
Re: Error: "spamc: connection attempt to spamd aborted after 3 retries"
2009/5/5 Karsten Bräckelmann > On Tue, 2009-05-05 at 13:10 -0300, Alejandro Cabrera Obed wrote: > > People, I've followed your advice and I've noticed that spamc is > > called from Postfix in /etc/postfix/master.cf: > > > > spamassassinunix- n n - - pipe > > user=nobody argv=/usr/bin/spamc -d 127.0.0.1 -e /usr/sbin/sendmail -oi > -f ${sender} ${recipient} > > > > but this line is the same than the backup I have when the mail system > > worked fine, no changes at all. > > Uhm, that's just a service type definition, isn't it? Do you actually > *use* it as a content filter? Did you before, does your current config? > > Caveat: Not a Postfix master. Please correct me, if I'm wrong. :) > > > What else can I do please ??? > > Check your *entire* mail processing chain. If need be, compare to the > previous state. But I'm repeating myself here... > Dear all, I have changed to socket in place of TCP/IP like you said. Now the message are checked for spam with an assigned score, but it'doesn't appear anymore the ***SPAM*** tag the Amavisd-new set up when a spam score is greater than de defined threshold. I have to have this tag in order to filter ths spam for each user. My amavis conf file have the following lines: $inet_socket_port = 10024; # default listenting socket $inet_socket_bind = '127.0.0.1'; # limit socket bind to loopback interface @inet_acl = qw ( 10.1.1.2 127.0.0.1 ); # allow SMTP access from these IP's $sa_spam_subject_tag = '***SPAM*** '; $sa_tag_level_deflt = 4.0; # add spam info headers if at, or above that level $sa_tag2_level_deflt = 5.0; # add 'spam detected' headers at that level $sa_kill_level_deflt = 5.0; # triggers spam evasive actions $sa_dsn_cutoff_level = 10; ... Why If I use socket for spamd the Amavisd-new does not put the ***SPAM*** tag to the spam messages ??? Thanks in advance Alejandro
Re: Error: "spamc: connection attempt to spamd aborted after 3 retries"
On Tue, 2009-05-05 at 13:10 -0300, Alejandro Cabrera Obed wrote: > People, I've followed your advice and I've noticed that spamc is > called from Postfix in /etc/postfix/master.cf: > > spamassassinunix- n n - - pipe > user=nobody argv=/usr/bin/spamc -d 127.0.0.1 -e /usr/sbin/sendmail -oi -f > ${sender} ${recipient} > > but this line is the same than the backup I have when the mail system > worked fine, no changes at all. Uhm, that's just a service type definition, isn't it? Do you actually *use* it as a content filter? Did you before, does your current config? Caveat: Not a Postfix master. Please correct me, if I'm wrong. :) > What else can I do please ??? Check your *entire* mail processing chain. If need be, compare to the previous state. But I'm repeating myself here... -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Personal SPF
Welcome to English 101. Configuring the mail account in their MUA independently on their internet connection is much easier than changing SMTP server every time they connect to other network. Poster is saying it is easier to setup port 587 in MUA instead of configuring PSPF This really is an important point. Your current system makes things unnecessarily difficult for roadwarriors. Another poster offers a good supporting reason to use 587 in MUA (regardless of PSPF). On 05.05.09 10:48, Charles Gregory wrote: Roadwarriors (cute term, BTW) form a very small proportion of my users, but even so, the solution for them is 5 minutes setup. I *will* be implementing it. I say the last argument only covers a small portion of my users, BUT it is so easy to setup (only 5 minutes for me on my server), I *will* be implementing the first poster's suggestion (port 587 with smtp auth). Matus UHLAR - fantomas wrote: 5 minutes of setup every time they change internet connection... and even non-road-warriors will have to change that every time they change connection. People see what they want to see.. I welcome reasoned debate, but that has to start with reading what people are actually saying, and not interpreting every sentence with the worst possible attitude. - Charles
Re: Personal SPF
> On Tue, 5 May 2009, Matus UHLAR - fantomas wrote: >> On 04.05.09 16:43, Charles Gregory wrote: >>> Strictly speaking, getting them to use it consistently and properly will >>> be MORE difficult, >> more difficult than what? More difficult than discussing it here or more >> difficult than implementing PSPF based on your sick setup and requirements? On 05.05.09 10:32, Charles Gregory wrote: > Less difficult than getting people to respond rationally and > intelligently to what I actually posted rather than grabbing a sentence > out of context and using it to construct a glib insult. > I don't have a problem with being wrong. But if you think you're going to > 'shout me down' with arrogant pronouncements like the above, well, good > luck with thtat... Defining personalised SPF would cause much more work and troubles for users. Yes, apparently not for you. Many people responded this thread saying it's bad idea. You repeated a few times that you have no problem being wrong but apparently you are not taking anyone's arguments but yours. As I have already said, configuration you prefer (each user sends mail through its ISP's mail server) requires changing configuration every time they connect from different place. The configuration we are recommending only requires setting configuration once, but correctly. Many providers are doing the same. Any provider using SPF and/or DKIM requires (by nature) that users send mail through their SMTP servers or webmail. The whole point of SPF is defining mail from which domain must be sent through which servers. Yes, I repeat, your idea is sick, based on completely different approach much (most?) of the world currently uses. Want more arguments? - setting up PSPF for user connecting through different provider takes you away verification that the sender is really the user. Only you at your mailserver can validate the e-mail address. - anyone connecting through such provider could fake the users' e-mail address withot you being able to block the mail >> internet connection is much easier than changing SMTP server every time >> they connect to other network. > > You know, at least the other posters have brought up port 587, which > offers a way around the standard port 25 block that stands in the way of > your 'easy' idea. I was the first one in this thread who brought up port 587. Unless the mail archive is lying or hiding something. Check yourself >> Send the notice two or more times. They will comply when they will >> start getting failures and you'll be able it's because they didn't read >> and follow multiple > > Ah, I'll take a guess as to what *that* twisted syntax means. Firstly, it > means that you typed your message in a hurry, which reflects that you > just skimmed over my e-mail with equal speed, missing all the fine > points. You didn't really care to read my full reasoning for why I can't > rely on notices. OK, sorry for misreading. I've read your message twice (to be sure what I've understood) but apparently I've missed something. > We may be not-for-profit, but we still have to run on > membership revenues, and those revenues *drop* when people decide that > "we have a problem" and instead of phoning us, they think the solution is > to go find another ISP. I've had people phone me up to cancel their > accounts because their e-mails "didn't work for three weeks", when they > had a glitch in their anti-virus that was blocking pop. You would think > that any reasoning human would call us for *help*. No, they just presume > *we* have a problem, "wait" for us to fix it, then go find another > provider Stupid. And yes, sometimes I think we'd be better off > without those clients, but times are tight, and no we would *not* be > better off. So we avoid situations where users who don't read notices > have any changes that can interrupt their service. So we have to have an > OPT-IN mechanism that at the least will get the 'PSPF' working for the > people smart enough to use it. Well, the main problem is you don't have the PSPF and I doubt anyone will want it. I work for an ISP where we run into the same problem, but are moving towards requiring authentication, of course we'll warn all users they need to set it up if they haven't in the past. Of course I know users are stupid. But trying to define whole new protocol with certain flaws (see above and other mails, I don't like repeating clear things over, others apparently aren't too) However to prevent ourself from running into problems (we ran into one last) there's no other way than to implement some "security" checks even if we risk loosing some customers >> Please, stop the PSPF discussions and go implement something that will >> work without changing the whole internet > > LOL! Please stop discussing ideas? I would hestitate to offend any > particular relgion by citing a specific example, but WOW do you ever > sound like the worst religious leaders telling thei
Re: Personal SPF
> On Tue, 5 May 2009, Mike Cardwell wrote: >> For what it's worth I also think this personal SPF concept is a >> terrible idea with zero chance of taking off. And I actually *like* >> normal SPF. On 05.05.09 10:39, Charles Gregory wrote: > Well, it would be nice if you offered some reasons *why* you feel this > way. I said up front that I had a strong suspicion this wouldn't fly, but > I was expecting a bit more reasoning than people just contradicting me... I think he just did not want to repeat what was already said here, just to note he argrees with it. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I feel like I'm diagonally parked in a parallel universe.
Re: Error: "spamc: connection attempt to spamd aborted after 3 retries"
On Tue, 5 May 2009, Alejandro Cabrera Obed wrote: People, I've followed your advice and I've noticed that spamc is called from Postfix in /etc/postfix/master.cf: spamassassinunix- n n - - pipe user=nobody argv=/usr/bin/spamc -d 127.0.0.1 -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} but this line is the same than the backup I have when the mail system worked fine, no changes at all. And I repeat the /etc/default/spamassassin: ENABLED=1 OPTIONS="--create-prefs --socketpath -U amavis --max-children 5 --helper-home-dir" PIDFILE="/var/run/spamd.pid" What else can I do please ??? You have spamd starting up on a socket yet in your Postfix you are attempting to connect to spamd via tcp. You need to specify: spamc -U instead of: spamc -d 127.0.0.1
RE: Blocking email with a valid internal destination address from outside.
I will check that as well. Thanks Postfix is the MTA Sean Leinart Network Systems Engineer Raleigh, North Carolina United States slein...@fscarolina.com > -Original Message- > From: John Hardin [mailto:jhar...@impsec.org] > Sent: Tuesday, May 05, 2009 12:05 PM > To: Sean Leinart > Cc: users@spamassassin.apache.org > Subject: Re: Blocking email with a valid internal destination > address from outside. > > On Tue, 5 May 2009, Sean Leinart wrote: > > > We have several email distribution lists with addresses such as > > a...@mydomain.com all-supp...@mydomain.com, etc. Currently > these email > > addresses are getting pounded with trash daily. > > > > Is there a way, or a rule to allow this address to be valid > internally > > but be rejected if the source originates from outside of > our network. > > Ideally this is done in your MTA. What MTA are you using? > Check the support forums and mailing lists for that MTA. > There are generally ways to say something like: > > to: a...@mydomain.com from: 127.0.0.0/8 accept > to: a...@mydomain.com from: 10.0.0.0/8 accept > to: a...@mydomain.com from: *reject > > > -- > John Hardin KA7OHZ > http://www.impsec.org/~jhardin/ > jhar...@impsec.orgFALaholic #11174 pgpk -a > jhar...@impsec.org > key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 > B873 2E79 > -- > - >No representation without taxation! > -- > - > 3 days until the 64th anniversary of VE day >
Re: Error: "spamc: connection attempt to spamd aborted after 3 retries"
People, I've followed your advice and I've noticed that spamc is called from Postfix in /etc/postfix/master.cf: spamassassinunix- n n - - pipe user=nobody argv=/usr/bin/spamc -d 127.0.0.1 -e /usr/sbin/sendmail -oi -f ${sender} ${recipient} but this line is the same than the backup I have when the mail system worked fine, no changes at all. And I repeat the /etc/default/spamassassin: ENABLED=1 OPTIONS="--create-prefs --socketpath -U amavis --max-children 5 --helper-home-dir" PIDFILE="/var/run/spamd.pid" What else can I do please ??? Thanks a lot for your important help, Alejandro 2009/5/5 Karsten Bräckelmann > On Tue, 2009-05-05 at 12:17 -0300, Alejandro Cabrera Obed wrote: > > Dear all, I need your help again about the spamc error. > [...] > > The spamc connects OK to port TCP/783 but I can't use the amavis tag > > features I used before. This situation shows me that the problem is > > between amavisd-new and spamassassin. And I repeat: I've never open > > port TCP/783 from spamassassin before and the anti spam worked fine. > > > > Can you help me please ??? > > You didn't listen. Please re-read the previous answers. Carefully. > > Something, somehow is calling spamc. Only you can track down where that > is. Amavis doesn't use it, and SA certainly does not call spamc on its > own. > > Something in your mail processing chain changed, and now is trying to > use spamc. Go find that. Maybe a user? > > > -- > char *t="\10pse\0r\0dtu...@ghno > \x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; > main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i c<<=1: > (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; > }}} > >
Re: [SA] Personal SPF
> Matus UHLAR - fantomas wrote: > >> On Mon, 4 May 2009, LuKreme wrote: > >>> This is what port 587 is *for*. This is what SASL authentication is *for*. > > > > On 05.05.09 09:25, Charles Gregory wrote: > >> H. Quick (dumb) question. If I tell my users to click the little > >> check box in a mail client (Outlook Express or Thunderbird) that says > >> "use SMTP authentication", does it automatically switch to port 587, or > >> do I need to tell my users how/where to change the port number? > > > > you need the latter. > > Outlook users may want to use port 465 with non-negotiated SSL. On 05.05.09 10:45, Adam Katz wrote: > Funny thing about that; 465 is a non-standard SSL-requiring port for > SMTP, chosen by Microsoft. Despite that, Micorosft Outlook (2003+ at > least) does *not* change the port from 25 when you specify SSL while > Mozilla Thunderbird will change it to 465. No configuration on either > will use 587. That's because M$ Outlook supports negotiating TLS only on port 25. On any other port it only supports SSL (non-negotiated) or plaintect. That's why I recommend (and we do) support port 465. (I don't remember which outlook version I've been testing, but I remember the result). I don't have ay informations that it's microsoft who selected 465 for smtps, but that's not issue since it looks being widely accepted... > The official recommendation is to require port 587 and require > authentication over TLS, but until programs default to using it in > some capacity, it just seems like a bad idea: > > Users are not smart. Give them the simplest options. > > Use different servers for MX vs outbound SMTP, and for the latter, > implement all three ports (25 and 587 requiring STARTTLS and > authentication, 465 being SSL-wrapped and requiring authentication). We do that. However, we plan to migrate all users to 587/465 to prevent from problems if anyone would block 25 (and so we could do that if anything happens, some users don't need/have to delive mail directly) > If you open SMTP like that, you should probably also have something > connected to your firewall (e.g. fail2ban for Linux) that will drop > all connections to mail relays that stubbornly try to connect, or at > least have the SMTP server configured to do something similar. I haven't noticed any such problem. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. 42.7 percent of all statistics are made up on the spot.
Re: Blocking email with a valid internal destination address from outside.
On Tue, 5 May 2009, Sean Leinart wrote: We have several email distribution lists with addresses such as a...@mydomain.com all-supp...@mydomain.com, etc. Currently these email addresses are getting pounded with trash daily. Is there a way, or a rule to allow this address to be valid internally but be rejected if the source originates from outside of our network. Ideally this is done in your MTA. What MTA are you using? Check the support forums and mailing lists for that MTA. There are generally ways to say something like: to: a...@mydomain.com from: 127.0.0.0/8 accept to: a...@mydomain.com from: 10.0.0.0/8 accept to: a...@mydomain.com from: *reject -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- No representation without taxation! --- 3 days until the 64th anniversary of VE day
Re: Personal SPF
>> On 04.05.09 10:31, Charles Gregory wrote: >>> > OUR mail server *requires* that a user be connected via our dialups. >>> Configuring the mail account in their MUA independently on their internet >>> connection is much easier than changing SMTP server every time they >>> connect to other network. > On Tue, 5 May 2009, Jonas Eckerman wrote: >> This really is an important point. Your current system makes things >> unnecessarily difficult for roadwarriors. On 05.05.09 10:48, Charles Gregory wrote: > Roadwarriors (cute term, BTW) form a very small proportion of my users, > but even so, the solution for them is 5 minutes setup. I *will* be > implementing it. 5 minutes of setup every time they change internet connection... and even non-road-warriors will have to change that every time they change connection. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I just got lost in thought. It was unfamiliar territory.
Re: Flooded by a SPAM always containing the same picture
On Tue, 5 May 2009, "Adam C?cile (Le_Vert)" wrote: Both my personnal and pro. emails get this stupid spam. Here is the image: http://dedibox.le-vert.net/divers/DSC.png 400x240 DSC\d+.png image spam again. Please check the list archives for the thread with the subject "Almost no score", there are some rules that will catch these messages. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Windows Genuine Advantage (WGA) means that now you use your computer at the sufferance of Microsoft Corporation. They can kill it remotely without your consent at any time for any reason; it also shuts down in sympathy when the servers at Microsoft crash. --- 3 days until the 64th anniversary of VE day
Re: Error: "spamc: connection attempt to spamd aborted after 3 retries"
On Tue, 2009-05-05 at 12:17 -0300, Alejandro Cabrera Obed wrote: > Dear all, I need your help again about the spamc error. [...] > The spamc connects OK to port TCP/783 but I can't use the amavis tag > features I used before. This situation shows me that the problem is > between amavisd-new and spamassassin. And I repeat: I've never open > port TCP/783 from spamassassin before and the anti spam worked fine. > > Can you help me please ??? You didn't listen. Please re-read the previous answers. Carefully. Something, somehow is calling spamc. Only you can track down where that is. Amavis doesn't use it, and SA certainly does not call spamc on its own. Something in your mail processing chain changed, and now is trying to use spamc. Go find that. Maybe a user? -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Error: "spamc: connection attempt to spamd aborted after 3 retries"
On 5/5/2009 5:17 PM, Alejandro Cabrera Obed wrote: Dear all, I need your help again about the spamc error. I tell you I'm not using procmail. In my /etc/default/spamassassin I have this lines: ENABLED=1 OPTIONS="--create-prefs --socketpath -U amavis --max-children 5 --helper-home-dir" PIDFILE="/var/run/spamd.pid" If I define the listen IP and port: OPTIONS="--create-prefs --socketpath -U amavis --max-children 5 --helper-home-dir --listen-ip=localhost --port=783" The spamc connects OK to port TCP/783 but I can't use the amavis tag features I used before. This situation shows me that the problem is between amavisd-new and spamassassin. And I repeat: I've never open port TCP/783 from spamassassin before and the anti spam worked fine. Can you help me please ??? to make it real short: Amavis doesn't use spamc/spamd at all.
Re: Flooded by a SPAM always containing the same picture
Adam Cécile (Le_Vert) wrote: RW a écrit : On Tue, 5 May 2009 14:44:29 +0200 Matus UHLAR - fantomas wrote: On 05.05.09 14:16, "Adam Cécile (Le_Vert)" wrote: Both my personnal and pro. emails get this stupid spam. Here is the image: http://dedibox.le-vert.net/divers/DSC.png Is there any rules that can block it ? It seems the picture is always the same. OCR module like FuzzyOCR should catch that. I just fed the image to gocr, ocrad and tesseract (OCRs I've found in debian) and allo of them were able to catch at least the "VIAGRA HOT OFFER" (gocr was the best at that). However you will apparently need SA from SVN... I think it's supposed to be the other way around - according to the FuzzyOCR site you need the development version of the plug-in for recent versions of SA. However I've tried the p5-FuzzyOcr and p5-FuzzyOcr-devel ports in FreeBSD, both of which are pretty old, 2.3b and 3.4.2, and they work for me, at least with a few test messages. I have seen SA die quite a lot with SIGPIPE, but that happens anyway (I think due to razor) so I'm not really sure about whether FuzzyOcr is flakey . It always seems to work on the next attempt. Hello, Thanks for all your replies. I was working on it at work and figured out that fuzzyocr is now included in debian testing/sid. A quick backport for stable (no changes needed, only rebuild) later, I had the package installed on my MTAs and this stupid SPAM gets +10 from FuzzyOCR. No additionnal configuration is required, just install the package (I added gocr and ocrad too) and restart amavis. Awesome! Adam. This spam is fly-by-night and you won't receive this after a week or so. It is the same spammer sending spam of the form. $SOME LONG SENTENCE THE SPAMMER DECIDED LOOKED GOOD. $WEB_LINK I guess the OCR thing will catch it but overkill for the time this is spam. Also BOTNET / EMPTY_MESSAGE / SORBS / BAYES / DATE_IN_FUTURE / PBL all trigger on this spam.
Re: Error: "spamc: connection attempt to spamd aborted after 3 retries"
Dear all, I need your help again about the spamc error. I tell you I'm not using procmail. In my /etc/default/spamassassin I have this lines: ENABLED=1 OPTIONS="--create-prefs --socketpath -U amavis --max-children 5 --helper-home-dir" PIDFILE="/var/run/spamd.pid" If I define the listen IP and port: OPTIONS="--create-prefs --socketpath -U amavis --max-children 5 --helper-home-dir --listen-ip=localhost --port=783" The spamc connects OK to port TCP/783 but I can't use the amavis tag features I used before. This situation shows me that the problem is between amavisd-new and spamassassin. And I repeat: I've never open port TCP/783 from spamassassin before and the anti spam worked fine. Can you help me please ??? Thanks a lot Alejandro On Mon, May 4, 2009 at 4:53 PM, Theo Van Dinter wrote: > If you're using amavis, what is calling spamc? It sounds like > something changed your config somewhere. Did someone put in a > procmailrc entry? > > > On Mon, May 4, 2009 at 2:57 PM, Alejandro Cabrera Obed > wrote: > > Dear all, I use Postfix (version 2.3.8-2+etch1) + amavisd-new (version > > 2.4.2-6.1) + spamassassin (version 3.2.3-0.volatile1), and they are > Debian > > Etch packages. > > > > Spamassassin is invoked from amavisd-new, so port TCP/783 is never open. > > > > A pair of days ago, I notice that the messages are not being checked for > > spam, and I have this log messages in /var/log/mail.err time after time: > > > > May 4 15:55:04 mail spamc[18892]: connect to spamd on 127.0.0.1 failed, > > retrying (#1 of 3): Connection refused > > May 4 15:55:04 mail spamc[18893]: connect to spamd on 127.0.0.1 failed, > > retrying (#1 of 3): Connection refused > > May 4 15:55:04 mail spamc[18894]: connect to spamd on 127.0.0.1 failed, > > retrying (#1 of 3): Connection refused > > May 4 15:55:04 mail spamc[18881]: connection attempt to spamd aborted > after > > 3 retries > > > > I tried restarting all the mail services but I fail. > > > > What can be the problem, because this model has worked very well until > last > > week and nobody has change nothing except apt-get dist-upgrade from > Debian > > volatile repositories ??? > > > > Special thanks > > > > Alejandro > > >
RE: Blocking email with a valid internal destination address from outside.
Thank you Sean Leinart Network Systems Engineer Raleigh, North Carolina United States slein...@fscarolina.com > -Original Message- > From: Benny Pedersen [mailto:m...@junc.org] > Sent: Tuesday, May 05, 2009 11:10 AM > To: users@spamassassin.apache.org > Subject: Re: Blocking email with a valid internal destination > address from outside. > > > On Tue, May 5, 2009 16:56, Sean Leinart wrote: > > Is there a way, or a rule to allow this address to be valid > internally > > but be rejected if the source originates from outside of > our network. > > http://old.openspf.org/wizard.html?mydomain=fscarolina.com&submit=Go! > > change ~all to -all > > softfail to fail > > > I did not see anything obvious in the config that would > facilitate this. > > Also, this may be a function of postfix vs. spamassassin, if it is, > > please let me know that as well. > > in spamassassin its to late, do spf in mta to stop the fun :) > > -- > http://localhost/ 100% uptime and 100% mirrored :) > >
Re: Flooded by a SPAM always containing the same picture
Charles Gregory wrote: Just a quick question: I'm noticing that these 'png' spams don't have a text section, or any message body text, and yet my SA does not trigger on any 'message does not contain text' rules? I've seen rules trigger when messages are a high percentage of image versus text, but why no hits when 100% image? - Charles These hit the EMPTY_MESSAGE rule for me.
Re: Blocking email with a valid internal destination address from outside.
On Tue, May 5, 2009 16:56, Sean Leinart wrote: > Is there a way, or a rule to allow this address to be valid internally > but be rejected if the source originates from outside of our network. http://old.openspf.org/wizard.html?mydomain=fscarolina.com&submit=Go! change ~all to -all softfail to fail > I did not see anything obvious in the config that would facilitate this. > Also, this may be a function of postfix vs. spamassassin, if it is, > please let me know that as well. in spamassassin its to late, do spf in mta to stop the fun :) -- http://localhost/ 100% uptime and 100% mirrored :)
Blocking email with a valid internal destination address from outside.
Greetings All, We have several email distribution lists with addresses such as a...@mydomain.com all-supp...@mydomain.com, etc. Currently these email addresses are getting pounded with trash daily. Is there a way, or a rule to allow this address to be valid internally but be rejected if the source originates from outside of our network. I did not see anything obvious in the config that would facilitate this. Also, this may be a function of postfix vs. spamassassin, if it is, please let me know that as well. Thanks in advance. Sean Leinart Network Systems Engineer Raleigh, North Carolina United States slein...@fscarolina.com
Re: Rule to detect same address in sender and receiver
On Tue, May 5, 2009 16:30, vism...@email.it wrote: > I am in troubles with spam filtering via SpamAssassin; I have many many > many spam mails with the same sender and receiver, but I can't > understand which rule of SpamAssassin is right to block this mails. > > Someone has an idea? add spf to your domain, add active spf testing on mta, problem solved http://mail-archives.apache.org/mod_mbox/spamassassin-users/200812.mbox/%3c59417.rkeux0yqvf8=.1230219050.squir...@mail.junc.org%3e -- http://localhost/ 100% uptime and 100% mirrored :)
Re: Personal SPF
On Tue, 5 May 2009, Jonas Eckerman wrote: On 04.05.09 10:31, Charles Gregory wrote: > OUR mail server *requires* that a user be connected via our dialups. Configuring the mail account in their MUA independently on their internet connection is much easier than changing SMTP server every time they connect to other network. This really is an important point. Your current system makes things unnecessarily difficult for roadwarriors. Roadwarriors (cute term, BTW) form a very small proportion of my users, but even so, the solution for them is 5 minutes setup. I *will* be implementing it. Of course, this changes the balance of 'need'. I would still like to discuss the idea of Personal SPF, and answer the questions I originally asked about possible loads and impact. But it may prove to be there are too few people who would benefit from it to make it worth the effort. (shrug) Doesn't matter really, as long as we *think* about it. -C
Re: [SA] Personal SPF
Matus UHLAR - fantomas wrote: >> On Mon, 4 May 2009, LuKreme wrote: >>> This is what port 587 is *for*. This is what SASL authentication is *for*. > > On 05.05.09 09:25, Charles Gregory wrote: >> H. Quick (dumb) question. If I tell my users to click the little >> check box in a mail client (Outlook Express or Thunderbird) that says >> "use SMTP authentication", does it automatically switch to port 587, or >> do I need to tell my users how/where to change the port number? > > you need the latter. > Outlook users may want to use port 465 with non-negotiated SSL. Funny thing about that; 465 is a non-standard SSL-requiring port for SMTP, chosen by Microsoft. Despite that, Micorosft Outlook (2003+ at least) does *not* change the port from 25 when you specify SSL while Mozilla Thunderbird will change it to 465. No configuration on either will use 587. The official recommendation is to require port 587 and require authentication over TLS, but until programs default to using it in some capacity, it just seems like a bad idea: Users are not smart. Give them the simplest options. Use different servers for MX vs outbound SMTP, and for the latter, implement all three ports (25 and 587 requiring STARTTLS and authentication, 465 being SSL-wrapped and requiring authentication). In postfix's master.cf, this would be (at the least): smtp inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject submission inet n - - - - smtpd -o smtpd_enforce_tls=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject smtps inet n - - - - smtpd -o smtpd_tls_wrappermode=yes -o smtpd_sasl_auth_enable=yes -o smtpd_client_restrictions=permit_sasl_authenticated,reject For non-Debian/non-FreeBSD systems, it may also require changing /etc/services so that the only "465/tcp" line it contains is: ssmtp 465/tcp smtps # SMTP over SSL If you open SMTP like that, you should probably also have something connected to your firewall (e.g. fail2ban for Linux) that will drop all connections to mail relays that stubbornly try to connect, or at least have the SMTP server configured to do something similar.
Re: Personal SPF
On Tue, 5 May 2009, Mike Cardwell wrote: For what it's worth I also think this personal SPF concept is a terrible idea with zero chance of taking off. And I actually *like* normal SPF. Well, it would be nice if you offered some reasons *why* you feel this way. I said up front that I had a strong suspicion this wouldn't fly, but I was expecting a bit more reasoning than people just contradicting me... - C
Re: Flooded by a SPAM always containing the same picture
Just a quick question: I'm noticing that these 'png' spams don't have a text section, or any message body text, and yet my SA does not trigger on any 'message does not contain text' rules? I've seen rules trigger when messages are a high percentage of image versus text, but why no hits when 100% image? - Charles
Re: Personal SPF
On Tue, 5 May 2009, Matus UHLAR - fantomas wrote: On 04.05.09 16:43, Charles Gregory wrote: Strictly speaking, getting them to use it consistently and properly will be MORE difficult, more difficult than what? More difficult than discussing it here or more difficult than implementing PSPF based on your sick setup and requirements? Less difficult than getting people to respond rationally and intelligently to what I actually posted rather than grabbing a sentence out of context and using it to construct a glib insult. I don't have a problem with being wrong. But if you think you're going to 'shout me down' with arrogant pronouncements like the above, well, good luck with thtat... Configuring the mail account in their MUA independently on their internet connection is much easier than changing SMTP server every time they connect to other network. You know, at least the other posters have brought up port 587, which offers a way around the standard port 25 block that stands in the way of your 'easy' idea. Send the notice two or more times. They will comply when they will start getting failures and you'll be able it's because they didn't read and follow multiple Ah, I'll take a guess as to what *that* twisted syntax means. Firstly, it means that you typed your message in a hurry, which reflects that you just skimmed over my e-mail with equal speed, missing all the fine points. You didn't really care to read my full reasoning for why I can't rely on notices. We may be not-for-profit, but we still have to run on membership revenues, and those revenues *drop* when people decide that "we have a problem" and instead of phoning us, they think the solution is to go find another ISP. I've had people phone me up to cancel their accounts because their e-mails "didn't work for three weeks", when they had a glitch in their anti-virus that was blocking pop. You would think that any reasoning human would call us for *help*. No, they just presume *we* have a problem, "wait" for us to fix it, then go find another provider Stupid. And yes, sometimes I think we'd be better off without those clients, but times are tight, and no we would *not* be better off. So we avoid situations where users who don't read notices have any changes that can interrupt their service. So we have to have an OPT-IN mechanism that at the least will get the 'PSPF' working for the people smart enough to use it. (nod) That would be one of the technical hurdles of this. Each ISP would need a published PSPF Server record identifying all *possible* outbound mail servers that any connected client could use, and then someone setting up their PSPF would use a 'lookup' function to get that information, and paste it into the opt-in form for the host serving their domain name. Now this is really much easier than configure mail user agents properly. If there was even the faintest chance that your suggestion achieved all (or most of) the objectives outlined in my proposal, I might accept your stupid attempt at sarcasm as a clever argument. But you haven't come close to addressing the 'replacement for SMTP callback' aspect of the discussion... Me, I posed a question. I *don't* have all the facts. Thank you, but I want help from people who know MORE than me. There are lots of them on here, and they are really helpful. Thanks to them, I've disabled my SMTP callbacks. Good reasoned argument always wins. Try it sometime. You forgot to mention the users will change their PSPF every time they start/stop using other connection, at home, work, coffee shop, weekend house etc etc etc. Oh My Deity. I hadn't thought of that! Why, this would be an incredibly difficult hurdle to overcome! I'm a programmer. I make a living turning incredibly difficult things into simple push-one-button solutions. I can make it easy for my users. What I can't do is make it load-efficient on the internet. So THAT is what is up for discussion here. Please, stop the PSPF discussions and go implement something that will work without changing the whole internet LOL! Please stop discussing ideas? I would hestitate to offend any particular relgion by citing a specific example, but WOW do you ever sound like the worst religious leaders telling their followers what they can believe or say or do. "Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler I take it back. You *have* mastered irony. - Charles
Rule to detect same address in sender and receiver
Hello, I am in troubles with spam filtering via SpamAssassin; I have many many many spam mails with the same sender and receiver, but I can't understand which rule of SpamAssassin is right to block this mails. Someone has an idea? Thank you in advance! Regards -- Caselle da 1GB, trasmetti allegati fino a 3GB e in piu' IMAP, POP3 e SMTP autenticato? GRATIS solo con Email.it: http://www.email.it/f Sponsor: Conto Arancio, Zero spese, soldi sempre disponibili. Aprilo in due minuti! Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=9041&d=20090505
Re: The weirdest problem I have ever met
On Mon, 2009-05-04 at 06:52 -0700, John Hardin wrote: > On Sun, 3 May 2009, Jodizzz wrote: > > SA:SPAM-DELETE:RC:0(xxx.xx.xxx.xxx):SA:1(1528.3/5.5) OK, so there's the SA score as reported by qmail. Good. However, that alone is quite useless -- we need the full, detailed Report of all rules hit and their respective scores. > 1528 is a ... rather large ... rather large SA score. > > Did that user send a GTUBE to someone and AWL is now trying to average > everything he sends up to that score? GTUBE is 1000 by default. So he would have to trip over quite a lot more for AWL to average the score above 1000... :) Anyway, the Report will show. -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Flooded by a SPAM always containing the same picture
RW a écrit : On Tue, 5 May 2009 14:44:29 +0200 Matus UHLAR - fantomas wrote: On 05.05.09 14:16, "Adam Cécile (Le_Vert)" wrote: Both my personnal and pro. emails get this stupid spam. Here is the image: http://dedibox.le-vert.net/divers/DSC.png Is there any rules that can block it ? It seems the picture is always the same. OCR module like FuzzyOCR should catch that. I just fed the image to gocr, ocrad and tesseract (OCRs I've found in debian) and allo of them were able to catch at least the "VIAGRA HOT OFFER" (gocr was the best at that). However you will apparently need SA from SVN... I think it's supposed to be the other way around - according to the FuzzyOCR site you need the development version of the plug-in for recent versions of SA. However I've tried the p5-FuzzyOcr and p5-FuzzyOcr-devel ports in FreeBSD, both of which are pretty old, 2.3b and 3.4.2, and they work for me, at least with a few test messages. I have seen SA die quite a lot with SIGPIPE, but that happens anyway (I think due to razor) so I'm not really sure about whether FuzzyOcr is flakey . It always seems to work on the next attempt. Hello, Thanks for all your replies. I was working on it at work and figured out that fuzzyocr is now included in debian testing/sid. A quick backport for stable (no changes needed, only rebuild) later, I had the package installed on my MTAs and this stupid SPAM gets +10 from FuzzyOCR. No additionnal configuration is required, just install the package (I added gocr and ocrad too) and restart amavis. Awesome! Adam.
Re: Spamassassin White_list problem
On 05.05.09 06:59, ermille1979 wrote: > I have a problem with Spamassassin on my Qmail > > r...@mail/etc/mail/spamassassin rpm -qa|grep -i spamas > perl-Mail-SpamAssassin-3.0.2-1 > spamassassin-3.0.2-1 > spamassassin-tools-3.0.2-1 Oh! that is way too old! I wonder if this still can catch any spam (except false positives of course). upgrade first. > required_score 3 Do you get any negatives? SA 3.0.2 uses many rules that were obsolete, blacklists that return true fopr anything etc... > I have this error on my maillog > > May 5 15:47:16 mail spamd[2329]: Failed to run USER_IN_DEF_SPF_WL > SpamAssassin test, skipping:__(Can't locate object method > "check_for_def_spf_whitelist_from" via package > "Mail::SpamAssassin::PerMsgStatus" at > /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2312, > line 40._) I'd say you need to upgrade perl, SA and apparently whole your system too. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. On the other hand, you have different fingers.
Re: Personal SPF
> On Mon, 4 May 2009, LuKreme wrote: >> This is what port 587 is *for*. This is what SASL authentication is *for*. On 05.05.09 09:25, Charles Gregory wrote: > H. Quick (dumb) question. If I tell my users to click the little > check box in a mail client (Outlook Express or Thunderbird) that says > "use SMTP authentication", does it automatically switch to port 587, or > do I need to tell my users how/where to change the port number? you need the latter. Outlook users may want to use port 465 with non-negotiated SSL. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. A day without sunshine is like, night.
Spamassassin White_list problem
Hi all, I have a problem with Spamassassin on my Qmail r...@mail/etc/mail/spamassassin rpm -qa|grep -i spamas perl-Mail-SpamAssassin-3.0.2-1 spamassassin-3.0.2-1 spamassassin-tools-3.0.2-1 This is My file local.rc ### # # rewrite_header Subject *SPAM* # report_safe 1 # trusted_networks 212.17.35. # lock_method flock report_safe 1 #required_hits 4 required_score 3 #rewrite_header Subject *SPAM* #whitelist_from *...@agipro.it use_bayes 1 # bayes_path /home/spamd/.spamassassin/bayes bayes_path /home/spamd/.spamassassin bayes_auto_learn 1 skip_rbl_checks 0 use_razor2 1 use_dcc 1 use_pyzor 1 dns_available yes header LOCAL_RCVD Received =~ /.*\(\S+\.domain\.com\s+\[.*\]\)/ describe LOCAL_RCVD Received from local machine #score LOCAL_RCVD -50 ## Optional Score Increases score DCC_CHECK 4.000 score SPF_FAIL 10.000 score SPF_HELO_FAIL 10.000 #score RAZOR2_CHECK 2.500 score RAZOR2_CHECK 4.500 score BAYES_99 4.300 #score BAYES_95 3.500 score BAYES_95 4.200 #score BAYES_80 3.000 score BAYES_80 4.100 The mail ehite sender domain @agipro.it are tagged as Spam! I have this error on my maillog May 5 15:47:16 mail spamd[2329]: Failed to run USER_IN_DEF_SPF_WL SpamAssassin test, skipping:__(Can't locate object method "check_for_def_spf_whitelist_from" via package "Mail::SpamAssassin::PerMsgStatus" at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2312, line 40._) May 5 15:47:16 mail spamd[2329]: Failed to run SPF_HELO_NEUTRAL SpamAssassin test, skipping:__(Can't locate object method "check_for_spf_helo_neutral" via package "Mail::SpamAssassin::PerMsgStatus" at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2312, line 40._) May 5 15:47:16 mail spamd[2329]: Failed to run SPF_NEUTRAL SpamAssassin test, skipping:__(Can't locate object method "check_for_spf_neutral" via package "Mail::SpamAssassin::PerMsgStatus" at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2312, line 40._) May 5 15:47:16 mail spamd[2329]: Failed to run USER_IN_SPF_WHITELIST SpamAssassin test, skipping:__(Can't locate object method "check_for_spf_whitelist_from" via package "Mail::SpamAssassin::PerMsgStatus" at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2312, line 40._) May 5 15:47:16 mail spamd[2326]: Failed to run USER_IN_DEF_SPF_WL SpamAssassin test, skipping:__(Can't locate object method "check_for_def_spf_whitelist_from" via package "Mail::SpamAssassin::PerMsgStatus" at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2312, line 40._) May 5 15:47:16 mail spamd[2326]: Failed to run SPF_HELO_NEUTRAL SpamAssassin test, skipping:__(Can't locate object method "check_for_spf_helo_neutral" via package "Mail::SpamAssassin::PerMsgStatus" at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2312, line 40._) May 5 15:47:16 mail spamd[2326]: Failed to run SPF_NEUTRAL SpamAssassin test, skipping:__(Can't locate object method "check_for_spf_neutral" via package "Mail::SpamAssassin::PerMsgStatus" at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2312, line 40._) May 5 15:47:16 mail spamd[2326]: Failed to run USER_IN_SPF_WHITELIST SpamAssassin test, skipping:__(Can't locate object method "check_for_spf_whitelist_from" via package "Mail::SpamAssassin::PerMsgStatus" at /usr/lib/perl5/site_perl/5.8.5/Mail/SpamAssassin/PerMsgStatus.pm line 2312, line 40._) May 5 15:47:16 mail spamd[2328]: clean message (0.0/3.0) for qscand:513 in 0.6 seconds, 1509 bytes. Help me please?! Alex -- View this message in context: http://www.nabble.com/Spamassassin-White_list-problem-tp23387747p23387747.html Sent from the SpamAssassin - Users mailing list archive at Nabble.com.
Re: Flooded by a SPAM always containing the same picture
On Tue, 5 May 2009 14:44:29 +0200 Matus UHLAR - fantomas wrote: > On 05.05.09 14:16, "Adam Cécile (Le_Vert)" wrote: > > Both my personnal and pro. emails get this stupid spam. > > Here is the image: http://dedibox.le-vert.net/divers/DSC.png > > > > Is there any rules that can block it ? It seems the picture is > > always the same. > > OCR module like FuzzyOCR should catch that. I just fed the image to > gocr, ocrad and tesseract (OCRs I've found in debian) and allo of > them were able to catch at least the "VIAGRA HOT OFFER" (gocr was the > best at that). > > However you will apparently need SA from SVN... I think it's supposed to be the other way around - according to the FuzzyOCR site you need the development version of the plug-in for recent versions of SA. However I've tried the p5-FuzzyOcr and p5-FuzzyOcr-devel ports in FreeBSD, both of which are pretty old, 2.3b and 3.4.2, and they work for me, at least with a few test messages. I have seen SA die quite a lot with SIGPIPE, but that happens anyway (I think due to razor) so I'm not really sure about whether FuzzyOcr is flakey . It always seems to work on the next attempt.
Re: Personal SPF
On Mon, 4 May 2009, LuKreme wrote: This is what port 587 is *for*. This is what SASL authentication is *for*. H. Quick (dumb) question. If I tell my users to click the little check box in a mail client (Outlook Express or Thunderbird) that says "use SMTP authentication", does it automatically switch to port 587, or do I need to tell my users how/where to change the port number? - C
Re: Flooded by a SPAM always containing the same picture
Adam Cécile (Le_Vert) wrote: Hello, Both my personnal and pro. emails get this stupid spam. Here is the image: http://dedibox.le-vert.net/divers/DSC.png Is there any rules that can block it ? It seems the picture is always the same. Thanks in advance, Regards, Adam. You may be flooded now as we were, but these emails should be caught soon. Most of the ips/domains for this spam are listed in BL and score well in to the 30s now. We received these for a day or two. All are caught now and I don't think you need fuzzyOCR or any custom rules for these. Maybe a custom URI rule for the first day or two.
Re: Personal SPF
On Tue, May 5, 2009 10:33, Mike Cardwell wrote: >> Please, stop the PSPF discussions and go implement something that will >> work without changing the whole internet > For what it's worth I also think this personal SPF concept is a terrible > idea with zero chance of taking off. And I actually *like* normal SPF. it will work if the recipient whitelist based on PSPF without thinking how SPF works :) -- http://localhost/ 100% uptime and 100% mirrored :)
Re: Flooded by a SPAM always containing the same picture
On Tue, 2009-05-05 at 14:16 +0200, "Adam Cécile (Le_Vert)" wrote: > Both my personnal and pro. emails get this stupid spam. > Here is the image: http://dedibox.le-vert.net/divers/DSC.png > > Is there any rules that can block it ? It seems the picture is always > the same. > Most stop these messages using the headers and mimeheaders, so post the whole message somewhere where we can see it (e.g. in Pastebin) and post the URL here. Martin
Re: Flooded by a SPAM always containing the same picture
On 05.05.09 14:16, "Adam Cécile (Le_Vert)" wrote: > Both my personnal and pro. emails get this stupid spam. > Here is the image: http://dedibox.le-vert.net/divers/DSC.png > > Is there any rules that can block it ? It seems the picture is always > the same. OCR module like FuzzyOCR should catch that. I just fed the image to gocr, ocrad and tesseract (OCRs I've found in debian) and allo of them were able to catch at least the "VIAGRA HOT OFFER" (gocr was the best at that). However you will apparently need SA from SVN... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Save the whales. Collect the whole set.
Re: dcc reports
On Tue, 05 May 2009 07:57:37 -0400 Matt Kettler wrote: > Nicolas Letellier wrote: > > Hello. > > > > I use spamassassin 3.2.5 and Dcc 1.3.103. > > When I execute cat /path/to/spammail | dccproc, I have lines with X-DCC in > > headers. > > However, when I execute cat /path/to/spammail | spamc, I do not have lives > > with X-DCC headers. > > > > Why I do not have DCC lines in headers, in this case? > > > Um, because you piped it to spamc, not dccproc? > > SpamAssassin doesn't add X-DCC headers, it just queries DCC (or uses > upstream X-DCC-xxx-Metrics headers) and will add score via the DCC_CHECK > rule if DCC's thresholds exceed dcc_body_max, dcc_fuz1_max or dcc_fuz2_max. > > If you want SA to add DCC metrics, it can create an X-Spam-DCC header if > you add this to your config: > > add_header all DCC _DCCB_:_DCCR > > SA cannot add any headers that do not start with "X-Spam". Thanks for your informations. I thank that SA will add DCC headers (because it use it). It uses it, but do not write anything. That's I wanted to know. Thanks a lot. -- -Nicolas.
Re: Personal SPF
On 04.05.09 10:31, Charles Gregory wrote: >> OUR mail server *requires* that a user be connected via our dialups. [...] Matus UHLAR - fantomas wrote: Configuring the mail account in their MUA independently on their internet connection is much easier than changing SMTP server every time they connect to other network. This really is an important point. Your current system makes things unnecessarily difficult for roadwarriors. Beeing able to use authenticated SMTP to port 587 at *one* address is much easier than having to set up different outgoing servers for different connections wich can become quite tedious if you tend to use the connections provioded by hotels for example. FWIW, this was actually the main justification here for setting up authenticated SMTP using a custom SMTP proxy wich authenticated against different (local) POP mailboxes depending on user name and server IP. Our users (me included) understandably wanted mail on laptops to be easier. The possibility of using SPF and DKIM were just bonuses. /Jonas -- Jonas Eckerman Fruktträdet & Förbundet Sveriges Dövblinda http://www.fsdb.org/ http://www.frukt.org/ http://whatever.frukt.org/
Flooded by a SPAM always containing the same picture
Hello, Both my personnal and pro. emails get this stupid spam. Here is the image: http://dedibox.le-vert.net/divers/DSC.png Is there any rules that can block it ? It seems the picture is always the same. Thanks in advance, Regards, Adam.
Re: dcc reports
Nicolas Letellier wrote: > Hello. > > I use spamassassin 3.2.5 and Dcc 1.3.103. > When I execute cat /path/to/spammail | dccproc, I have lines with X-DCC in > headers. > However, when I execute cat /path/to/spammail | spamc, I do not have lives > with X-DCC headers. > > Why I do not have DCC lines in headers, in this case? > Um, because you piped it to spamc, not dccproc? SpamAssassin doesn't add X-DCC headers, it just queries DCC (or uses upstream X-DCC-xxx-Metrics headers) and will add score via the DCC_CHECK rule if DCC's thresholds exceed dcc_body_max, dcc_fuz1_max or dcc_fuz2_max. If you want SA to add DCC metrics, it can create an X-Spam-DCC header if you add this to your config: add_header all DCC _DCCB_:_DCCR SA cannot add any headers that do not start with "X-Spam".
dcc reports
Hello. I use spamassassin 3.2.5 and Dcc 1.3.103. When I execute cat /path/to/spammail | dccproc, I have lines with X-DCC in headers. However, when I execute cat /path/to/spammail | spamc, I do not have lives with X-DCC headers. Why I do not have DCC lines in headers, in this case? See my local.cf: use_dcc 1 dcc_path /usr/local/bin/dccproc And my v310.pre: loadplugin Mail::SpamAssassin::Plugin::DCC Do you have any ideas? If you need any informations, do not hesitate. Thanks. Best regards, -- -Nicolas.
Errors during installation spamassasssin
I'm using the FreeBSD 7.2-RELESE. I've installed spamassassin using the ports. When running sa-update -D I get the following output (part of it) [97306] dbg: diag: module installed: Net::SMTP, version 2.31 [97306] dbg: diag: module installed: Mail::SPF, version v2.006 [97306] dbg: diag: module not installed: Mail::SPF::Query ('require' failed) [97306] dbg: diag: module installed: IP::Country::Fast, version 604.001 [97306] dbg: diag: module installed: Razor2::Client::Agent, version 2.84 [97306] dbg: diag: module installed: Net::Ident, version 1.20 When installing the module Mail::SPF::Query I'll get: zen# make install ===> Installing for p5-Mail-SPF-Query-1.999.1 ===> p5-Mail-SPF-Query-1.999.1 conflicts with installed package(s): p5-Mail-SPF-2.006 They install files into the same place. Please remove them first with pkg_delete(1). *** Error code 1 Stop in /usr/ports/mail/p5-Mail-SPF-Query. Is this a bug in sa-update or a bug of the portssytem of freebsd??? Thanks for your time Jack
Re: Personal SPF
Matus UHLAR - fantomas wrote: Please, stop the PSPF discussions and go implement something that will work without changing the whole internet For what it's worth I also think this personal SPF concept is a terrible idea with zero chance of taking off. And I actually *like* normal SPF. -- Mike Cardwell (https://secure.grepular.com/) (http://perlcv.com/)
Re: Personal SPF
> On Mon, 4 May 2009, Jonas Eckerman wrote: >> Why do you think it would be easier to get those of your users that >> send through other servers to publish a personal SPF record with >> correct information about the external IP address of the outgoing relay >> they use than it would be to get then to use SMTP auth with your >> servers? On 04.05.09 16:43, Charles Gregory wrote: > Strictly speaking, getting them to use it consistently and properly will > be MORE difficult, more difficult than what? More difficult than discussing it here or more difficult than implementing PSPF based on your sick setup and requirements? Configuring the mail account in their MUA independently on their internet connection is much easier than changing SMTP server every time they connect to other network. > but unlike SMTP auth, there is nothing I need enforce > on all users at once, and the default condition is a 'neutral' result. > PSPF=NONE. Anyone who doesn't get the e-mail notice (or ignores it) will > continue as usual. Send the notice two or more times. They will comply when they will start getting failures and you'll be able it's because they didn't read and follow multiple > (nod) That would be one of the technical hurdles of this. Each ISP would > need a published PSPF Server record identifying all *possible* outbound > mail servers that any connected client could use, and then someone > setting up their PSPF would use a 'lookup' function to get that > information, and paste it into the opt-in form for the host serving their > domain name. Now this is really much easier than configure mail user agents properly. You forgot to mention the users will change their PSPF every time they start/stop using other connection, at home, work, coffee shop, weekend house etc etc etc. Please, stop the PSPF discussions and go implement something that will work without changing the whole internet -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. "One World. One Web. One Program." - Microsoft promotional advertisement "Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler