Re: Again AWL confusion
On Wed, 2009-08-05 at 00:37 +0200, a...@exys.org wrote: Matus UHLAR - fantomas wrote: On 04.08.09 20:09, a...@exys.org wrote: I have obviously never received any mail from that sender, so why does it hit? in later mail you mention that you run SA before greylisting. On 05.08.09 00:31, Martin Gregorie wrote: If, for some (very) odd reason you run greylisting after SA then *of course* your host has (a) seen the mail and (b) passed it through SA. How else can the mail get to the greylister? Would you care to explain why you put a greylister behind SA? Do you know how a greylister works and why it was designed to work that way? He already explained that he greylists only mail that scores above a limit. In that case we can assume the spam scored high even before so it got greylisted. In such case I doubt it was learned as ham, unless the greylisting check is broken... nope. i grepped the global log. the only time that sender ever ocurs it was temporary rejected due to greylisting. And where else did greylisted mail appear in the log? For the mail to be logged as rejected by a greylister *after* its been through SA it must also have been inspected by AWL and therefore it did affect the AWL database. the question is, why it scored hammy? aep, how did it score before greylisting? Are you sure you do not have bug in your greylisting code? Btw, I'm not sure if it should not be low scoring messages (spams) for which greylisting is very good, since you won't become that early recipient... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Posli tento mail 100 svojim znamim - nech vidia aky si idiot Send this email to 100 your friends - let them see what an idiot you are
Re: Network Tests / Rule Files Directories
On 04.08.09 16:39, Stefan Malte Schumacher wrote: And it seems AWL really is the problem. Here are the relevant passages from another Email, which only got enough points to be identified as Spam because it was both in DCC and Razor. 5.0 RAZOR2_CHECK Listed in Razor2 (http://razor.sf.net/) 5.0 DCC_CHECK Listed in DCC (http://rhyolite.com/anti-spam/dcc/) -4.9 AWL AWL: From: address is in the auto white-list The message got 7,1 points in the end. So what should I do? Disable the Auto-Whitelist? Or simply use higher scores for RAZOR_CHECK etc. ? note, the higher scores for RAZOR and DCC will be, the lower the AWL score will be. Of course, the sum will be higher, but I don't advise to play with scores that much, setting score 5 and higher is very risky -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. M$ Win's are shit, do not use it !
Re: Again AWL confusion
Matus UHLAR - fantomas wrote: On 05.08.09 00:31, Martin Gregorie wrote: If, for some (very) odd reason you run greylisting after SA then *of course* your host has (a) seen the mail and (b) passed it through SA. How else can the mail get to the greylister? Would you care to explain why you put a greylister behind SA? Do you know how a greylister works and why it was designed to work that way? He already explained that he greylists only mail that scores above a limit. exactly. The point is that scores below 2 are never spam, so i avoid greylisting. Thats my whitelist (you usually need for greylisting) at the same time, since i whitelist some hosts in SA. In that case we can assume the spam scored high even before so it got greylisted. In such case I doubt it was learned as ham, unless the greylisting check is broken... above 2. The njabl hit would have been enough to hit that. It didn't score above 10, because that would have been rejected at smtp time. My guess is that it scored 2 on the first try, then later it would have scored above 10 due to surbl listings, but awl kicks in and lowers the score thinking the greylisted mail was an independent message. And where else did greylisted mail appear in the log? For the mail to be logged as rejected by a greylister *after* its been through SA it must also have been inspected by AWL and therefore it did affect the AWL database. oh right, i could look at the SA log, but i already know it passed SA 3 times. the question is, why it scored hammy? aep, how did it score before greylisting? Are you sure you do not have bug in your greylisting code? see above. i'm pretty sure the bug is passing the same message to SA multiple times. Btw, I'm not sure if it should not be low scoring messages (spams) for which greylisting is very good, since you won't become that early recipient... 2 to 5 is the sweetspot. That message in question actually proved it is working, since the URIBL hits came later. Then it scores 10 so it gets rejected. I think that setup is fairly smart, excluding the problem that i train SA with wrong information. I wonder if i could ask SA to score a message without learning it, although exim-sa propably doesnt support that.
Re: [NEW SPAM FLOOD] www.shopXX.net
DS == Dan Schaefer d...@performanceadmin.com writes: DS I'm glad to see this SPAM traffic has come to a halt. At least on my DS mail server... Yes, I haven't seen any of those spams since the morning of the 31st. My servers were rejecting them like mad right up until that point in time (10:30CDT), and then nothing. - J
Re: [NEW SPAM FLOOD] www.shopXX.net
Good morning *, Am 2009-08-04 13:51:24, schrieb Jason L Tibbitts III: DS == Dan Schaefer d...@performanceadmin.com writes: DS I'm glad to see this SPAM traffic has come to a halt. At least on my DS mail server... Yes, I haven't seen any of those spams since the morning of the 31st. My servers were rejecting them like mad right up until that point in time (10:30CDT), and then nothing. I have seen exactly the same, I was hit by more then 200.000 spams per day of this kind and had a relative high CPU load (4) on my five servers Sun Fire X4100M2 and it was more or less gone from one hour to another... Thanks, Greetings and nice Day/Evening Michelle Konzack Systemadministrator Tamay Dogan Network Debian GNU/Linux Consultant -- Linux-User #280138 with the Linux Counter, http://counter.li.org/ # Debian GNU/Linux Consultant # http://www.tamay-dogan.net/ Michelle Konzack http://www.can4linux.org/ c/o Vertriebsp. KabelBW http://www.flexray4linux.org/ Blumenstrasse 2 Jabber linux4miche...@jabber.ccc.de 77694 Kehl/Germany IRC #Debian (irc.icq.com) Tel. DE: +49 177 9351947 ICQ #328449886Tel. FR: +33 6 61925193 signature.pgp Description: Digital signature
can Spamassassin count recipients?
Is it possible to count recipients with Spamassassin? Some of the spam I receive has multiple recipients in To: and/or CC: headers, i.e.: To: 1...@example.com, 2...@example.com, 3...@example.com CC: 1...@example.com, 2...@example.com, 3...@example.com I would like to count the number of recipients and assign score accordingly. For example, when there are 5-10 recipients, assign 1 point; 11 recipients and more - assign 2 points. Is it possible with Spamassassin? -- Tomasz Chmielewski http://wpkg.org
Re: Again AWL confusion
a...@exys.org wrote: exactly. The point is that scores below 2 are never spam, so i avoid greylisting. Thats my whitelist (you usually need for greylisting) at the same time, since i whitelist some hosts in SA. Interesting set-up, although I don't think it would be suitable for a high-volume server. So what do you use to do this? exim-sa and what greylisting software? above 2. The njabl hit would have been enough to hit that. It didn't score above 10, because that would have been rejected at smtp time. My guess is that it scored 2 on the first try, then later it would have scored above 10 due to surbl listings, but awl kicks in and lowers the score thinking the greylisted mail was an independent message. With most greylisting systems, the temporary reject is before the data section (which helps save bandwidth), so it's hard to know if it's two attempts to deliver the same message, or two independent messages. Not so in your case, however. What is auto_whitelist_factor set at? And where else did greylisted mail appear in the log? For the mail to be logged as rejected by a greylister *after* its been through SA it must also have been inspected by AWL and therefore it did affect the AWL database. oh right, i could look at the SA log, but i already know it passed SA 3 times. Worth doing. the question is, why it scored hammy? aep, how did it score before greylisting? Are you sure you do not have bug in your greylisting code? see above. i'm pretty sure the bug is passing the same message to SA multiple times. Well, by definition that isn't an SA bug. Or are you suggesting AWL should check to see if the same Message-ID has been seen before, and if it has, not score or learn? That would be an extra database lookup, and it would mean AWL would also be disabled for valid mail that had been delayed by greylisting (maybe OK, because it presumably hasn't been seen before). Bayes *shouldn't* allow learning of the same message more than once (it's doesn't if you train it manually), but maybe autolearn doesn't update bayes_seen (??). I think the simplest solution for your config is just: use_auto_whitelist 0 bayes_auto_learn 0 Setting 'tflags URIBL_BLACK noautolearn' etc. on the remote tests would probably mean the AWL decrease would be less, because AWL is then just smoothing out the scores from the local tests. None of this sounds very efficient with minimising DNS lookups and reducing carbon footprints... CK
Re: can Spamassassin count recipients?
Is it possible to count recipients with Spamassassin? Some of the spam I receive has multiple recipients in To: and/or CC: headers, i.e.: To: 1...@example.com, 2...@example.com, 3...@example.com CC: 1...@example.com, 2...@example.com, 3...@example.com I would like to count the number of recipients and assign score accordingly. For example, when there are 5-10 recipients, assign 1 point; 11 recipients and more - assign 2 points. Is it possible with Spamassassin? I think SA already assings a negative score for mail containing multiple similar looking recipients; it's a stock rule.
Re: can Spamassassin count recipients?
Tomasz Chmielewski wrote: Is it possible to count recipients with Spamassassin? Some of the spam I receive has multiple recipients in To: and/or CC: headers, i.e.: To: 1...@example.com, 2...@example.com, 3...@example.com CC: 1...@example.com, 2...@example.com, 3...@example.com I would like to count the number of recipients and assign score accordingly. For example, when there are 5-10 recipients, assign 1 point; 11 recipients and more - assign 2 points. Is it possible with Spamassassin? Sure: header __COUNT_RCPTS ToCc =~ /(?:[^@,\...@[^@,\s]+)/ tflags __COUNT_RCPTS multiple meta RCPTS_5_10 (__COUNT_RCPTS = 5 __COUNT_RCPTS = 10) score RCPTS_5_10 1.0 describe RCPTS_5_10 Message has 5 to 10 recipients meta RCPTS_11_PLUS (__COUNT_RCPTS 10) score RCPTS_11_PLUS 2.0 describe RCPTS_11_PLUS Message has 11 or more recipients That will do exactly as you want. Personally I prefer this (although it does make the reports a bit more ugly as each hit will be displayed): header SCORE_RCPTS ToCc =~ /(?:[^@,\...@[^@,\s]+)/ tflags SCORE_RCPTS multiple score SCORE_RCPTS 0.2 describe SCORE_RCPTS Adding score for each recipient That will add 0.2 to the score for every recipient present in the To or Cc header which matches your desire to score +1 for 5 recipients and +2 for 10 or more but with no upper bound (so 50 recipients would add +10), personally I score this at 0.05 to be on the safe side. Kind regards, Steve.
Re: Backscatter.org used as RBL??
On Aug 4, 2009, at 6:35, d.h...@yournetplus.com wrote: Quoting LuKreme krem...@kreme.com: On 3-Aug-2009, at 18:36, Dennis G German wrote: Is Backscatter.org http://www.backscatterer.org/index.php used by any rules? Pretty sure not. The way to use that RBL is as an RBL. Don't accept the backscatter in the first place. If you use the lists as an RBL to reject at SMTP, you will end up rejecting legitimate email. Here, I have the zones rsync to rbldnsd locally and have SA rules test the last external IP. If you do it right, you are very unlikly to lose legitimate bounces.
Re: Backscatter.org used as RBL??
Quoting LuKreme krem...@kreme.com: On Aug 4, 2009, at 6:35, d.h...@yournetplus.com wrote: Quoting LuKreme krem...@kreme.com: On 3-Aug-2009, at 18:36, Dennis G German wrote: Is Backscatter.org http://www.backscatterer.org/index.php used by any rules? Pretty sure not. The way to use that RBL is as an RBL. Don't accept the backscatter in the first place. If you use the lists as an RBL to reject at SMTP, you will end up rejecting legitimate email. Here, I have the zones rsync to rbldnsd locally and have SA rules test the last external IP. If you do it right, you are very unlikly to lose legitimate bounces. I wasn't referring to legitimate bounces. I was referring to legitimate messages (non bounce). If I started using the backscatterer.org RBL's at STMP time, guarantee I will get calls and several email messages asking why a message was rejected.
Re: Backscatter.org used as RBL??
On Aug 5, 2009, at 11:53 AM, d.h...@yournetplus.com wrote: I wasn't referring to legitimate bounces. I was referring to legitimate messages (non bounce). If I started using the backscatterer.org RBL's at STMP time, guarantee I will get calls and several email messages asking why a message was rejected. Yea, no way can backscatterer.org be used at SMTP time without serious FPs. We use it but score it pretty low. We've had machines listed in that list that don't even accept email. Chris - Chris Owen - Garden City (620) 275-1900 - Lottery (noun): President - Wichita (316) 858-3000 -A stupidity tax Hubris Communications Inc www.hubris.net -
Re: Backscatter.org used as RBL??
* Chris Owen ow...@hubris.net: We've had machines listed in that list that don't even accept email. Still, these can send out backscatter (send only boxes) -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Backscatter.org used as RBL??
If anyone has an example config for sendmail to use the backscatter rbl at smtp time please send it. I take a beating from backscatterers. I would think you could do this with a macro that checks mail from and triggers an rbl check on the ip. Sounds simple but my cf skills are barely above trial and error. Thanks, Sean
Re: Backscatter.org used as RBL??
d.h...@yournetplus.com wrote: Quoting LuKreme krem...@kreme.com: On Aug 4, 2009, at 6:35, d.h...@yournetplus.com wrote: Quoting LuKreme krem...@kreme.com: On 3-Aug-2009, at 18:36, Dennis G German wrote: Is Backscatter.org http://www.backscatterer.org/index.php used by any rules? Pretty sure not. The way to use that RBL is as an RBL. Don't accept the backscatter in the first place. If you use the lists as an RBL to reject at SMTP, you will end up rejecting legitimate email. Here, I have the zones rsync to rbldnsd locally and have SA rules test the last external IP. If you do it right, you are very unlikly to lose legitimate bounces. I wasn't referring to legitimate bounces. I was referring to legitimate messages (non bounce). If I started using the backscatterer.org RBL's at STMP time, guarantee I will get calls and several email messages asking why a message was rejected. Backscatter.org is the worst RBL on the planet. If you use it you will get a lot of false positives.
Re: Backscatter.org used as RBL??
Marc Perkel wrote: Backscatter.org is the worst RBL on the planet. If you use it you will get a lot of false positives. Lets compare backscatterer's recommended usage of their list in your favourite MTA against your own recommendation for usage of your hostkarma RBL in your favourite MTA: 1.) HostKarma: deny dnslists = hostkarma.junkemailfilter.com=127.0.0.2 2.) BackScatterer: deny senders = : dnslists= ips.backscatterer.org log_message = $sender_host_address listed at $dnslist_domain message = Backscatter: $dnslist_text I would argue, and I expect few would disagree, that you're more likely to get a false positive from the first than the second. Or were you ignoring the large bright red warning signs and usage information on http://www.backscatterer.org/ ? -- Mike Cardwell - IT Consultant and LAMP developer Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/
Geniuses at expedia.com
Yes, I now, if you enforce all the RFC's you will not get much spam, but you won't get much email either. Maybe its just me, but I am tired of explaining to clients that the people who write SMTP or WEB APP response type software don't seem to care if their email is formatted correctly or not. If its a small outfit that wrote the web app, its more likely that they will fix it (given some prodding) is this a FP on invalid_date?, or just crappy programming on the part of Expedia.com? Come on guys, at least use the same helo name as the DNS name, received:from smtpb.expeso.com (smtp.expedia.com and did you ever hear of Y2K? can't you afford to send out two more digits in the year? date:31 Jul 09 10:13 -0800 And whats with the 'feature' of FORGING THE SENDERS EMAIL ADDRESS? even in the envelope from? can't even whitelist them, sure can't spf whitelist them if they force the envelope from and header from. x-envelope-from:sen...@hotmail.com x-spam-status:Yes, score=6.904 tag=-999 tag2=5 kill=5 tests=[BAYES_00=0.1, DCC_CHECK=1.5, DCC_REPUT_60_69=0.1, HTML_MESSAGE=0.001, INVALID_DATE=1.245, MIME_HTML_ONLY=0.957, NO_REAL_NAME=1, RELAY_COUNTRY_US=0.001, SARE_OEM_S_PRICE=1, SPF_SOFTFAIL=1] autolearn=no received:from mx1.x.cc.ionspam.net ([10.71.0.40]) by localhost (x.cc.ionspam.net [10.71.0.40]) (SpammerTrap(r) VPS-750, port 10024) with LMTP id dY9KthQVD-7p for recei...@example.com; Fri, 31 Jul 2009 13:13:32 -0400 (EDT) received:from smtpb.expeso.com (smtp.expedia.com [216.251.115.225]) by mx1.x.cc.ionspam.net (Postfix) with ESMTP id 634411CC107 for; Fri, 31 Jul 2009 13:13:26 -0400 (EDT) message-id:6uai5q$pm...@smtpb.expeso.com date:31 Jul 09 10:13 -0800 -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _
Re: Again AWL confusion
On 05.08.09 00:31, Martin Gregorie wrote: If, for some (very) odd reason you run greylisting after SA then *of course* your host has (a) seen the mail and (b) passed it through SA. How else can the mail get to the greylister? Would you care to explain why you put a greylister behind SA? Do you know how a greylister works and why it was designed to work that way? Matus UHLAR - fantomas wrote: He already explained that he greylists only mail that scores above a limit. On 05.08.09 10:15, a...@exys.org wrote: exactly. The point is that scores below 2 are never spam, so i avoid greylisting. Thats my whitelist (you usually need for greylisting) at the same time, since i whitelist some hosts in SA. In that case we can assume the spam scored high even before so it got greylisted. In such case I doubt it was learned as ham, unless the greylisting check is broken... above 2. The njabl hit would have been enough to hit that. It didn't score above 10, because that would have been rejected at smtp time. My guess is that it scored 2 on the first try, then later it would have scored above 10 due to surbl listings, but awl kicks in and lowers the score thinking the greylisted mail was an independent message. that's it! you can look at spamd logs and search for the same message-id. And where else did greylisted mail appear in the log? For the mail to be logged as rejected by a greylister *after* its been through SA it must also have been inspected by AWL and therefore it did affect the AWL database. oh right, i could look at the SA log, but i already know it passed SA 3 times. while repeated learning of the same message does not affect bayes, I think this doesn't apply for AWL. the question is, why it scored hammy? aep, how did it score before greylisting? Are you sure you do not have bug in your greylisting code? see above. i'm pretty sure the bug is passing the same message to SA multiple times. Btw, I'm not sure if it should not be low scoring messages (spams) for which greylisting is very good, since you won't become that early recipient... 2 to 5 is the sweetspot. That message in question actually proved it is working, since the URIBL hits came later. Then it scores 10 so it gets rejected. I think that setup is fairly smart, excluding the problem that i train SA with wrong information. I wonder if i could ask SA to score a message without learning it, although exim-sa propably doesnt support that. turning off AWL and autolearn (optionally only when run at SMTP time) would help you here. Although using such setup you loose much of advantages (like AWL ;-) and especially personalising... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. The box said 'Requires Windows 95 or better', so I bought a Macintosh.
Re: Again AWL confusion
On Wed, 2009-08-05 at 22:21 +0200, Matus UHLAR - fantomas wrote: turning off AWL and autolearn (optionally only when run at SMTP time) would help you here. Although using such setup you loose much of advantages (like AWL ;-) and especially personalising... There are cases where AWL is a menace. In my case I run SA as part of the 'pipeline'[*] between fetchmail and Postfix because there's a bad interaction between the way Postfix runs SA as a subservice and its always_bcc directive. I found that in my set-up AWL was consistently giving unhelpful scores, so its been turned off for quite a while now. [*] 'pipeline' because fetchmail's mda option feeds a pipeline leading to the Postfix.sendmail utility that passes the mail to Postfix. Martin
Detecting email from my domain
Hi SAs, Well, as far as i am receiving email from my domain to my domain. I dont want to block it because there are about 10% of email that is okay. I'd like to know if there is a plug or a rule for SA to give more grade if email comes from other ip than MX. TIA LD
Re: Again AWL confusion
On Wed, 05 Aug 2009 10:15:00 +0200 a...@exys.org wrote: 2 to 5 is the sweetspot. That message in question actually proved it is working, since the URIBL hits came later. Then it scores 10 so it gets rejected. I noticed earlier that you were greylisting for only 60s; that seems like a fairly short delay to affect listing. I think that setup is fairly smart, I don't run my own mta, but I do something analogous, in that I do an initial test with Bogofilter and use the result to delay spam up to 24 hours before it's processed with SA. I think if I were doing greylisting I might use Bogofilter's ham result to bypass it, and the unsure/spam results to set short or long delay. excluding the problem that i train SA with wrong information. I think if Bayes is being mistrained, you have the autotrain thresholds wrong. And in your situation, it's not going to be possible to reverse it properly since the signature will change with the received headers.
Re: Detecting email from my domain
On Wed, 5 Aug 2009, Luis Daniel Lucio Quiroz wrote: Hi SAs, Well, as far as i am receiving email from my domain to my domain. I dont want to block it because there are about 10% of email that is okay. I'd like to know if there is a plug or a rule for SA to give more grade if email comes from other ip than MX. TIA LD Assuming you have control over the DNS for your domain, publish an SPF record to state which machines/IP-addresses are valid email sources for your domain. Then when spammers forge your addresses it will fail the SPF tests and SA will automagically add points to those messages. (it may also help to reduce back-scatter abuses of your domain). There are various online tools to create and test SPF records, see: http://old.openspf.org/wizard.html http://www.kitterman.com/spf/validate.html -- Dave Funk University of Iowa dbfunk (at) engineering.uiowa.eduCollege of Engineering 319/335-5751 FAX: 319/384-0549 1256 Seamans Center Sys_admin/Postmaster/cell_adminIowa City, IA 52242-1527 #include std_disclaimer.h Better is not better, 'standard' is better. B{
Pet photo signatures
This just seems like another good way to sneak spam through: http://myemailpets.com/ I love to share photos of my cat, but I don't want to choke up the email system with them, esp. if it enables spammers one more avenue to piggyback their crap on.
Making this FN correctly scored as spam
http://pastebin.com/m5e126ea This came to one of my address where what I usually get is 99% spam and was scored as ham, no matter what I've done I can't get it to score the minimum +5 points. After learning it as spam with sa-learn and using spamassassin -r to report to razor/pyzor/dcc and removing the senders address from the AWL with spamassassin --remove-addr-from-whitelist it still scores below the required: Content analysis details: (1.6 points, 5.0 required) pts rule name description -- -- -0.1 RCVD_IN_JMF_W RBL: JunkEmailFilter: relay in white list (first pass) [66.114.171.113 listed in hostkarma.junkemailfilter.com] -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust [66.114.171.113 listed in list.dnswl.org] 5.0 BAYES_99 BODY: Bayesian spam probability is 99 to 100% [score: 1.] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 DK_SIGNED Domain Keys: message has a signature 0.0 DKIM_SIGNEDDomain Keys Identified Mail: message has a signature 0.0 MIME_HTML_MOSTLY BODY: Multipart message mostly text/html MIME 0.0 HTML_MESSAGE BODY: HTML included in message 0.7 MPART_ALT_DIFF BODY: HTML and text parts are different 2.2 DCC_CHECK listed in DCC (http://rhyolite.com/anti-spam/dcc/) [localhost 1201; Body=many Fuz1=many] [Fuz2=many] -2.2 KHOP_RCVD_TRUSTDNS-Whitelisted sender is verified These are few and far between however there were two today that made it past. Any suggestions would be appreciated -- KeyID 0xE372A7DA98E6705C signature.asc Description: This is a digitally signed message part
Re: can Spamassassin count recipients?
On Wed, 2009-08-05 at 12:11 +0200, Tomasz Chmielewski wrote: Is it possible to count recipients with Spamassassin? Some of the spam I receive has multiple recipients in To: and/or CC: headers, i.e.: To: 1...@example.com, 2...@example.com, 3...@example.com CC: 1...@example.com, 2...@example.com, 3...@example.com I would like to count the number of recipients and assign score accordingly. For example, when there are 5-10 recipients, assign 1 point; 11 recipients and more - assign 2 points. Is it possible with Spamassassin? Here's the rule(s) I use. They were posted here on the list quite awhile back: describe TO_TOO_MANY To: too many recipients header TO_TOO_MANY To =~ /(?:,[^,]{1,80}){20}/ scoreTO_TOO_MANY 0.3 describe TO_WAY_TOO_MANY To: way too many recipients header TO_WAY_TOO_MANY To =~ /(?:,[^,]{1,80}){20}/ scoreTO_WAY_TOO_MANY 0.3 describe CC_TOO_MANY CC: too many recipients header CC_TOO_MANY CC =~ /(?:,[^,]{1,80}){15}/ scoreCC_TOO_MANY 0.3 IIRC you can change the parameters in the 2nd set of {} to whatever number you decide, ie.. {20} to {10} or whatever. -- KeyID 0xE372A7DA98E6705C signature.asc Description: This is a digitally signed message part
Re: Making this FN correctly scored as spam
On Wed, 2009-08-05 at 19:12 -0500, Chris wrote: This came to one of my address where what I usually get is 99% spam and was scored as ham, no matter what I've done I can't get it to score the Without looking at the sample provided... -0.1 RCVD_IN_JMF_W RBL: JunkEmailFilter: relay in white list -4.0 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium trust Tell the whitelists about it. -2.2 KHOP_RCVD_TRUSTDNS-Whitelisted sender is verified And re-verify your custom rules. Copied is custom, too. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: can Spamassassin count recipients?
On Wed, 5 Aug 2009, Chris wrote: On Wed, 2009-08-05 at 12:11 +0200, Tomasz Chmielewski wrote: For example, when there are 5-10 recipients, assign 1 point; 11 recipients and more - assign 2 points. Here's the rule(s) I use. They were posted here on the list quite awhile back: describe TO_TOO_MANY To: too many recipients header TO_TOO_MANY To =~ /(?:,[^,]{1,80}){20}/ scoreTO_TOO_MANY 0.3 describe TO_WAY_TOO_MANY To: way too many recipients header TO_WAY_TOO_MANY To =~ /(?:,[^,]{1,80}){20}/ scoreTO_WAY_TOO_MANY 0.3 TO_WAY_TOO_MANY should have something higher than 20 addresses if that's how many will trigger TO_TOO_MANY. With them set to the same number, they are duplicate rules and SA collapses them - only one will ever hit. I use 30 and 50. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Where We Want You To Go Today 07/05/07: Microsoft patents in-OS adware architecture incorporating spyware, profiling, competitor suppression and delivery confirmation (U.S. Patent #20070157227) --- Today: the 274th anniversary of John Peter Zenger's acquittal
Re: can Spamassassin count recipients?
On Wed, 2009-08-05 at 19:22 -0700, John Hardin wrote: On Wed, 5 Aug 2009, Chris wrote: On Wed, 2009-08-05 at 12:11 +0200, Tomasz Chmielewski wrote: For example, when there are 5-10 recipients, assign 1 point; 11 recipients and more - assign 2 points. Here's the rule(s) I use. They were posted here on the list quite awhile back: describe TO_TOO_MANY To: too many recipients header TO_TOO_MANY To =~ /(?:,[^,]{1,80}){20}/ scoreTO_TOO_MANY 0.3 describe TO_WAY_TOO_MANY To: way too many recipients header TO_WAY_TOO_MANY To =~ /(?:,[^,]{1,80}){20}/ scoreTO_WAY_TOO_MANY 0.3 TO_WAY_TOO_MANY should have something higher than 20 addresses if that's how many will trigger TO_TOO_MANY. With them set to the same number, they are duplicate rules and SA collapses them - only one will ever hit. I use 30 and 50. You're right John, I thought I'd changed the numbers when I installed, guess not. I'll do it now. Chris -- KeyID 0xE372A7DA98E6705C signature.asc Description: This is a digitally signed message part
Re: Detecting email from my domain
On Wed, 5 Aug 2009 17:26:08 -0500, Luis Daniel Lucio Quiroz Well, as far as i am receiving email from my domain to my domain. I dont want to block it because there are about 10% of email that is okay. I'd like to know if there is a plug or a rule for SA to give more grade if email comes from other ip than MX. google postfwd equal sender recipient, or openspf your domain, in mta use smtp auth all else will fail -- Benny Pedersen