JMF abuse reporting
Marc- How do I report abuse in JMF-W? I'd ideally like it to be automated via SpamCop reports (which they do for several DNS whitelists, though not DNSWL or JMF-W). I don't want to send to a personally attended address if there's an automated one (or an attended queue), and the removal page is clearly geared for un-blacklisting only. Thanks -Adam -- Adam Katz khopesh on irc://irc.freenode.net/#spamassassin http://khopesh.com/Anti-spam
Re: sa-update and SA versions
On 9-Jun-2009, at 11:36, Karsten Bräckelmann wrote: Smart move asking one of the more recent additions to the dev team... ;) So... how long until 3.3 is ready, then, huh? huh? how long? ... whistles innocently ... -- Lisa Bonet ate no Basil
Re: New slew of spams
On 9-Jun-2009, at 07:42, Adam Katz wrote: ktn wrote: By default, the spamd daemon does not allow user defined rules. Hostmonster needs to set allow_user_rules to 1 in the system configuration file. I asked about this and that's something that they will not do. LuKreme wrote: It's a good thing there are other hosting companies that are not willfully retarded, isn't it? No, I'd consider that a rather sane decision. Back when my distribution had user accounts with shell access, I had custom rules disabled too. Sue, but how long ago was that? The way to properly host people now is with virtualization. They have their 'own' machine and what they muck up can only much up THEIR machine. Might not be the best choice for a small hosting company, but for a large one anything else seems senseless. Heck, even for me, if I ever get back into hosting it is going to be purely with virtualized machines. You want ftp and non- secure email? Knock yourself out. I have a restore image handy to put the system back when you get totally pwned. The reason is that some people don't understand how to write rules, putting mundane words, often without word-breaks, or enormous globs that just destroy the system's efficiency. Then they score these poorly-written rules with ten points and wonder why they're missing so much mail. Yes, and people buy chainsaw to cut down trees and take off their legs. This is not the fault of the store selling the chainsaws. This is why you make sure they can only touch their own trees. -- I know you won't believe it's true I only went with her cuz she looked like you
BOTNET timeouts?
Howdy all, The last couple days I've been seeing a lot of Botnet-related timeouts. Obviously the Botnet plugin itself hasn't changed... DNS problems maybe? Anyone else seen this? It's causing my SA children to hang and for the server to hit the max-children setting. I had to disable Botnet to get things up and running reliably again. Thanks, Jake
Re: BOTNET timeouts?
On 06/11/2009 07:05 AM, Jake Maul wrote: Howdy all, The last couple days I've been seeing a lot of Botnet-related timeouts. Obviously the Botnet plugin itself hasn't changed... DNS problems maybe? Anyone else seen this? It's causing my SA children to hang and for the server to hit the max-children setting. I had to disable Botnet to get things up and running reliably again. Known bug with Botnet. See: http://www.mail-archive.com/users@spamassassin.apache.org/msg53371.html -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: New slew of spams
On Wed, 10 Jun 2009, LuKreme wrote: On 9-Jun-2009, at 07:42, Adam Katz wrote: No, I'd consider that a rather sane decision. Back when my distribution had user accounts with shell access, I had custom rules disabled too. Sue, but how long ago was that? The way to properly host people now is with virtualization. They have their 'own' machine and what they muck up can only much up THEIR machine. That's fine for you and me, but not everyone wants to be (or has the skills or time to be) a system administrator, and I doubt most hosting companies would be able to provide administered single-user VMs at a reasonable price point. With a shared VM the administration costs are shared across many customers. I was going to suggest moving to a VM, but I didn't know whether ktn felt that was an option. I suppose it's reasonable to ask: ktn, would you be willing to move to a self-administered hosted VM in order to get full control of SA? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If healthcare is a Right means that the government is obligated to provide the people with hospitals, physicians, treatments and medications at low or no cost, then the right to free speech means the government is obligated to provide the people with printing presses and public address systems, the right to freedom of religion means the government is obligated to build churches for the people, and the right to keep and bear arms means the government is obligated to provide the people with guns, all at low or no cost. --- 51 days since 9th Circuit incorporated 2nd Amdt - MSM still silent
Re: New slew of spams
I said: I'd consider that a rather sane decision. Back when my distribution had user accounts with shell access, I had custom rules disabled too. LuKreme wrote: Sue, but how long ago was that? Not sure I approve of that nickname... That was ~3y ago. The way to properly host people now is with virtualization. They have their 'own' machine and what they muck up can only much up THEIR machine. Might not be the best choice for a small hosting company, but for a large one anything else seems senseless. Heck, even for me, if I ever get back into hosting it is going to be purely with virtualized machines. You want ftp and non-secure email? Knock yourself out. I have a restore image handy to put the system back when you get totally pwned. Ah, you're talking provider-level deployments while I'm talking corporate-level deployments. Even at your higher level, I think it's a waste of IT time and resources to dedicate servers on a per-customer basis (unless the customer is a giant and actually needs such allocation), regardless of whether the server is virtual or not. Mail is its own thing and should be dedicated rather than with separate servers for each tenant or hosted on a server that serves other purposes. At the provider-level, mail is provided as IMAP accounts rather than configurable servers. The most the users should be able to do is train Bayes and perhaps tweak their accounts' SA user_prefs. For web and ftp et al, I fully agree that you should hand off a VM or jail (recently found to be more efficient, as noted at http://bsd.slashdot.org/story/09/06/02/0043258/#) and let them at it. The reason is that some people don't understand how to write rules, putting mundane words, often without word-breaks, or enormous globs that just destroy the system's efficiency. Then they score these poorly-written rules with ten points and wonder why they're missing so much mail. Yes, and people buy chainsaw to cut down trees and take off their legs. This is not the fault of the store selling the chainsaws. This is why you make sure they can only touch their own trees. You're proposing wasting IT resources on providing tons and tons of trees (legs?), presumably at little or no cost to the customer, for customers who don't understand their chainsaws. Customers tend to prefer advice or configurations that prevent them from severing a leg, or even more important (to you), from severing another customer's leg. If somebody wants to roll their own hosted mail server, let them buy a VM and do it from scratch, fully outside of your clean and efficient multi-tenant implementation, but this shouldn't be marketed at all; it should be an option for the tenant that wants more than you can offer/support and has the in-house expertise to get it done. -Adam -- Adam Katz khopesh on irc://irc.freenode.net/#spamassassin http://khopesh.com/Anti-spam
Re: sa-update and SA versions
@20090514
uri URI_HIDDEN /.{7}\/\../
describe URI_HIDDEN Contains a hidden directory
scoreURI_HIDDEN 0.7 # 20090515 from sa-users list
ifplugin Mail::SpamAssassin::Plugin::MIMEHeader # {
mimeheader DSCL4_PNG Content-Type =~ /name\=\DS[CL]\d{4,5}\.(?:png|PNG)\/
describe DSCL4_PNG Digital camera filename is PNG
score DSCL4_PNG 1.6
body __PNG_240_400 eval:image_size_exact('png',240,400)
meta DSCL4DIG_PNG DSCL4_PNG __PNG_240_400
describe DSCL4DIG_PNG 240x400 PNG with digital camera filename
score DSCL4DIG_PNG 2.0 # 20090505 from sa-users list
header __CTYPE_MULTIPART_MXD Content-Type =~ /multipart\/mixed/i
mimeheader __ANY_TEXT_ATTACH Content-Type =~ /text\/\w/i
meta MIME_IMAGE_ONLY(__CTYPE_MULTIPART_MXD __ANY_IMAGE_ATTACH
!__ANY_TEXT_ATTACH)
describe MIME_IMAGE_ONLYImage body part but no text body parts
score MIME_IMAGE_ONLY2.00 # 20090507 from sa-users list
mimeheader MIME_IMAGE_JPG Content-Type =~ /image\/jpg/i
describe MIME_IMAGE_JPG MIME type image/jpg should be image/jpeg
score MIME_IMAGE_JPG 2.0 # 20090526 from sa-users list
ifplugin Mail::SpamAssassin::Plugin::ImageInfo
mimeheader __MIME_GIFContent-Type =~ /image\/gif/i
mimeheader __MIME_PNGContent-Type =~ /image\/png/i
mimeheader __MIME_JPEG Content-Type =~ /image\/jpe?g/i
body __GIF_ATTACHeval:image_count('gif',1)
body __PNG_ATTACHeval:image_count('png',1)
body __JPEG_ATTACH eval:image_count('jpeg',1)
meta IMAGE_MISMATCH (__MIME_GIF !__GIF_ATTACH) || (__MIME_PNG
!__PNG_ATTACH) || (__MIME_JPEG !__JPEG_ATTACH)
describe IMAGE_MISMATCH Contains wrong image format for MIME header
score IMAGE_MISMATCH 1.0 # 20090610, proposed to sa-users @20090524
endif # ImageInfo
endif # } MIMEHeader
#
# khop-blessed channel snippets, http://khopesh.com/Anti-spam#sa-update_channels
header KHOP_SENDER_BOTALL =~
/(?:not?\W?repl[yi]|bounce|subscrib|news|nobody)[^@ ]...@\w/i
describe KHOP_SENDER_BOTMessage sent from a bulk service or bot
scoreKHOP_SENDER_BOT0.125
header __GOOGLE_UNSUB List-Unsubscribe =~ /^http:..googlegroups.com\//
header __GOOGLE_GROUPSSender =~ /\...@googlegroups\.com$/
ifplugin Mail::SpamAssassin::DKIM
meta GOOGLE_GROUPS __GOOGLE_GROUPS __GOOGLE_UNSUB DKIM_VERIFIED
else
header DKIM_EXISTSexists:DKIM-Signature
meta GOOGLE_GROUPS __GOOGLE_GROUPS __GOOGLE_UNSUB DKIM_EXISTS
endif # DKIM
describe GOOGLE_GROUPS Google Groups list mail (confirmed-opt-in)
scoreGOOGLE_GROUPS -2 # 20090527
# undo KHOP_SENDER_BOT + KHOP_NEWSLETTER + KHOP_UNSUB_LINK (0.1+0.7+0.8=1.65)
# __X_IP will throw an 'undefined' if missing, but this avoids tripping over
# the fix at https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5920#c2
meta KHOP_BUG5920_X_IP X_IP GOOGLE_GROUPS !__X_IP
describe KHOP_BUG5920_X_IP Undo X_IP for Google Groups
scoreKHOP_BUG5920_X_IP -3 # undoing X_IP's 2.840 1.943 2.744 3.177
#
# from khop-blessed channel, http://khopesh.com/Anti-spam#sa-update_channels
# as referenced in my email to sa-users on 2009/10/05
ifplugin Mail::SpamAssassin::Plugin:SPF
#ifplugin Mail::SpamAssassin::Plugin:DKIM # ... not a problem if missing
meta __KHOP_NOSPOOF ALL_TRUSTED || SPF_PASS || DKIM_VERIFIED
meta KHOP_RCVD_UNTRUST!__KHOP_NOSPOOF __KHOP_DNSWLD
describe KHOP_RCVD_UNTRUSTDNS-whitelisted sender is not verified
tflags KHOP_RCVD_UNTRUSTnoautolearn
scoreKHOP_RCVD_UNTRUST1 # 20090501
# bump for non-spoofed dns-whitelisted items that aren't already pretty low
# (similar to KHOP_DNSBL_BUMP in khop-bl)
meta KHOP_RCVD_TRUST __KHOP_NOSPOOF __KHOP_DNSWLD
(4.3*RCVD_IN_BSP_TRUSTED + 8*RCVD_IN_DNSWL_HI + 1*RCVD_IN_DNSWL_LOW +
4*RCVD_IN_DNSWL_MED + 4*RCVD_IN_IADB_DOPTIN + 6*RCVD_IN_IADB_ML_DOPTIN +
2.2*RCVD_IN_IADB_VOUCHED + 3*RCVD_IN_JMF_W + 3.7*RCVD_IN_SSC_TRUSTED_COI) 7
describe KHOP_RCVD_TRUST DNS-Whitelisted sender is verified
tflags KHOP_RCVD_TRUST nice noautolearn
scoreKHOP_RCVD_TRUST -2.5 # 20090411
#endif # DKIM
endif # SPF
#
# khop-bl channel snippets, http://khopesh.com/Anti-spam#sa-update_channels
# Fight incestuous DNSBLs, posted to sa-users @20090518
ifplugin Mail::SpamAssassin::Plugin::DNSEval # {
meta KHOP_DNSBL_ADJ ( 2*RCVD_IN_BL_SPAMCOP_NET +
1.6*RCVD_IN_NJABL_PROXY + 2.7*RCVD_IN_NJABL_RELAY + 2.1*RCVD_IN_NJABL_SPAM +
0.9*RCVD_IN_PBL + 1.6*RCVD_IN_SBL + 3*RCVD_IN_XBL + 0.8*RCVD_IN_SORBS_SOCKS +
1.8*RCVD_IN_PSBL + 1.7*RCVD_IN_JMF_BL + 1.8*RCVD_IN_JMF_BR +
2*RCVD_IN_BRBL_RELAY + 1*RCVD_IN_BRBL_LASTEXT ) 8
describe KHOP_DNSBL_ADJ Undo autokill from DNSBL overlap
tflags KHOP_DNSBL_ADJ nice
score
Re: sa-update and SA versions
On Wed, 2009-06-10 at 17:39 -0400, Adam Katz wrote:
Karsten Bräckelmann wrote:
That said, I seem to recall that at least published SARE rule-sets
have been mentioned to be added to stock and thus obsoleted.
I suppose this is a point for Daryl (DOS) or whomever maintains SARE
(read: runs the DNS), but they are not configured to obsolete nicely:
Err... No. Actually, I was specifically about backhair or one of those
rule-sets. Note the added to stock part.
As for *all* SARE rule-sets, there is *one* definite source of status.
Rulesemporium. The very front page claims loudly the stuff is not
maintained. Each rule-set got a hint about last updated, last mass-
checked, and there are lots of sets specifically mentioning a SA version
number it is intended for.
Daryl provides a mirror of that stuff for anyone who deliberately WANTS
these rules. He is not to blame, but the admin who installs 5 years old
rules.
There is no way for sa-update to fade out or obsolete a rule-set. There
is a version number to indicate an update. Installing them is on the
discretion of the admin.
Oh, and some, well, one(?) are actually updated these days and alive.
Also, there's no communications channel announcing sa-update rule
updates in detail.
Ooh, I like the idea of an RSS feed or a bot that posts to this list
(or the dev list), specifically for retractions/removals and security
updates, and hopefully not for any minor score tweak (or perhaps a
~weekly digest of such things). This might be as simple as a script
monitoring SVN checkins.
There is an svn checkins list.
Speaking about rules posted to the list: Those often will be
changed slightly in the sandbox after the initial post. Let alone
some rules being posted in various versions on this list -- which
one do you run?
I'm not sure if you actually want this, but ... Rules I've pushed to
and taken from this list are attached.
While I'm glad to see a couple KB prefixed rules right at the top... :)
No, I did not mean you to post them. That was a remark for the reader to
*think* about the various versions posted, and how many (read all) of
them are spread around thousands of systems.
That effectively means that a note about such rules going into stock
needs to include all of the versions, mentioning their specific overlap,
fuzziness, ... Impossible.
Let alone local tweaks to those rules. Ultimately, the admin is
responsible for ANY third-party stuff he installed.
BTW, all my RATWARE_OUTLOOK variants are super-sets of the 08 one, as I
have mentioned on this list when I first posted them here. The 08 one is
the one, the rest where meant for debugging only.
guenther
--
char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4;
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1:
(c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: BOTNET timeouts?
Interesting that I'm just now running into this... I've been using Botnet on this server for several months without issue. Thanks for the link, shorter timeouts should cure it. :) Jake On Wed, Jun 10, 2009 at 12:26 PM, Jason Haarjason.h...@trimble.co.nz wrote: On 06/11/2009 07:05 AM, Jake Maul wrote: Howdy all, The last couple days I've been seeing a lot of Botnet-related timeouts. Obviously the Botnet plugin itself hasn't changed... DNS problems maybe? Anyone else seen this? It's causing my SA children to hang and for the server to hit the max-children setting. I had to disable Botnet to get things up and running reliably again. Known bug with Botnet. See: http://www.mail-archive.com/users@spamassassin.apache.org/msg53371.html -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1
Re: BOTNET timeouts?
Jake Maul wrote: Interesting that I'm just now running into this... I've been using Botnet on this server for several months without issue. Thanks for the link, shorter timeouts should cure it. :) Even though Mark Martinec had provided John Rudd with a nice, neat patch for botnet.pm well over a year ago to resolve this issue, John has not opted to take the 5 minutes that is necessary to fix botnet by applying the patch. He is no longer maintaining botnet, and it has become an orphaned plugin that is in serious need of repair. Bill
Re: BOTNET timeouts?
On Wed, Jun 10, 2009 at 21:11, Bill Landryb...@inetmsg.com wrote: Jake Maul wrote: Interesting that I'm just now running into this... I've been using Botnet on this server for several months without issue. Thanks for the link, shorter timeouts should cure it. :) Even though Mark Martinec had provided John Rudd with a nice, neat patch for botnet.pm well over a year ago to resolve this issue, John has not opted to take the 5 minutes that is necessary to fix botnet by applying the patch. He is no longer maintaining botnet, and it has become an orphaned plugin that is in serious need of repair. That's a rather presumptuous statement to make. The plug-in works in the vast majority of cases, and I've had higher priority things to work on. But the plug-in has not been abandoned (no are you qualified to make that statement), nor is it in _serious_ need of repair. Nor do you know how much pre-release work (testing, etc.) I put into a release, whether or not that's the solution to the specific problem I want to go with, etc., so you're also unqualified to state how much time it would take to resolve it.
Re: BOTNET timeouts?
John Rudd wrote: On Wed, Jun 10, 2009 at 21:11, Bill Landryb...@inetmsg.com wrote: Jake Maul wrote: Interesting that I'm just now running into this... I've been using Botnet on this server for several months without issue. Thanks for the link, shorter timeouts should cure it. :) Even though Mark Martinec had provided John Rudd with a nice, neat patch for botnet.pm well over a year ago to resolve this issue, John has not opted to take the 5 minutes that is necessary to fix botnet by applying the patch. He is no longer maintaining botnet, and it has become an orphaned plugin that is in serious need of repair. That's a rather presumptuous statement to make. The plug-in works in the vast majority of cases, and I've had higher priority things to work on. But the plug-in has not been abandoned (no are you qualified to make that statement), nor is it in _serious_ need of repair. Nor do you know how much pre-release work (testing, etc.) I put into a release, whether or not that's the solution to the specific problem I want to go with, etc., so you're also unqualified to state how much time it would take to resolve it. Whatever, just fix it or pull it. Bill
Re: BOTNET timeouts?
On Wed, June 10, 2009 21:05, Jake Maul wrote: The last couple days I've been seeing a lot of Botnet-related timeouts. Obviously the Botnet plugin itself hasn't changed... http://bugs.gentoo.org/show_bug.cgi?id=217261 DNS problems maybe? Anyone else seen this? It's causing my SA children to hang and for the server to hit the max-children setting. I had to disable Botnet to get things up and running reliably again. hope the patch still works -- http://localhost/ 100% uptime and 100% mirrored :)
