Re: Scores, razor, and other questions
MySQL Student wrote: > Hi, > > After another day of hacking, I have a handful of general questions > that I hoped you could help me to answer. > > - How can I find the score of a particular rule, without having to use > grep? I'm concerned that I might find it at some score, only for it to > be redefined somewhere else that I didn't catch. Something I can do > from the command-line? > No, to be comprehensive you'd have to do a series of greps, one for the default set, site rules, and user_prefs. You could probably make a little shell script to automate grepping all 3. > - How do I find out what servers razor is using? What is the current > license now that it's hosted on sf, or are the query servers not also > running there? It doesn't list any restrictions on the web site. > Wow.. the razor client has been hosted on SF for a LOOong time.. Like 6 years now? Regardless, the servers are operated by Vipul's company, cloudmark. Try running razor-admin -d -discover. Alternatively, look at razor's server.lst file. > - The large majority of the spam that I receive these days is a result > of a URL not being listed in one of the SBLs. I'm using SURBL, URIBL, > and spamcop. For example, I caught several hours > ago, and it's still not listed in any of the SBLs. Am I doing > something wrong or am I missing an SBL? Has anyone else's spam with > URLs increased a lot lately? > Note: domain censored, verizon's spam outbreak controls won't let me send the message with that domain in it right now. URIBLs have some inherent lag, and spammers are playing a race game with the URIBLs, trying to change domains faster than they get listed. Fortunately, the domain registrations cost the spammers money, so increasing the number of those they need is good. Personally, I find bayes tends to clean up most of what gets missed, although I auto-feed my bayes using spamtrap addresses that automatically submit to sa-learn --spam, resulting in very fresh spam training. Looking at uribl, they've currently got it listed in URIBL gold, but that's a non-free list of theirs. It's also a "proactive" list, so it will list domains before they send spam, making it more effective against mutating runs, but also might toss a FP or two on new domains. > Thanks, > Alex > > >
Scores, razor, and other questions
Hi, After another day of hacking, I have a handful of general questions that I hoped you could help me to answer. - How can I find the score of a particular rule, without having to use grep? I'm concerned that I might find it at some score, only for it to be redefined somewhere else that I didn't catch. Something I can do from the command-line? - How do I find out what servers razor is using? What is the current license now that it's hosted on sf, or are the query servers not also running there? It doesn't list any restrictions on the web site. - The large majority of the spam that I receive these days is a result of a URL not being listed in one of the SBLs. I'm using SURBL, URIBL, and spamcop. For example, I caught guadelumbouis.com several hours ago, and it's still not listed in any of the SBLs. Am I doing something wrong or am I missing an SBL? Has anyone else's spam with URLs increased a lot lately? Thanks, Alex
Re: OT: Nehelam's New HT ability.... and ability to handle spamd high load (preheating cache?)
My bios doesn't allow shutting off HT, but does allow turning off 2 or 3 cores (allowing dual or single) -- I'd rather see that type of feature at runtime - allowing system load to decide whether to activate another core -- though the diff on my 2.6GHZ in power consumption when from about 157 watts (according to its front panel), to over 260 when I loaded all 8 'virtual' cores (only 4 corex2HT's/core). That's w/8 hard disks inside (though not under load...just spinning). Seems to be no way on my machine (Dell is so limiting sometimes), to turn off unused hard drives, or only spin them up when I want to use them -- Some are hot-spare or just unconfig'ed, yet they spinup. I'd also prefer the my own *choice* of whether or not to use the on-disk cache as well as the raid controller's cache. I virtually never have unplanned shutdowns -- (its on a UPS that will run for >1hour under its load). Maybe some of this control will get into the lk -- or does the bios have to support everything? Supposedly it has temp and electrical monitoring 'galore', but I can' even read the DIMM temps. I went with the 'eco' power supplies at 570W (vs. 870). But got the dual power supply backup -- I think, from what I an measure, it splits the power usage between the supplies unless one goes out. That could mean I really have a 1140W available? Dunno. Not sure exactly what 'spare' means -- if it limits total consumption to level of 1 supply even though it splits the load (power meter hooked to one and watched it go to half load when other was plugged in). BTW, I'm running at 1333MHZ, so maybe it's a heat dissipation prob and not power? I'm only pulling 157-160 to a max of 260 (didn't have disks churning though -- was just running copies of ssh-keygen -b 16384 -- that seems to take it a little bit...8192 comes out in about 10 seconds though. :-). Oblig:sa-users -- I may finally have my 'dead -email' restart problem solved. Before, if I had a large queue, I had to stop fetchmail, often -- download only 10-20 at a time so it's emails wouldn't overload my sendmail queue (it gets backed up on spamassassin). My minimum time for SA (w/network tests) is around 3seconds. But during heavy loads it can really go high -- and my machine can just run out of memory and process space. (part of it is sendmail looking up hosts of received email and bind starting 'cold' (no cache). But started with 2700 emails, ... after # processes got to about 900, I chickened a bit and paused the fetchmail until they dropped under 400 (note, 'load' never went over '2' the whole time, so it was mostly network wait time). But after the initial clear I had about 2200 emails left and just let it run. At that point, I could see it keeping up -- bind's cache was alot warmer now, so not as much network traffic. I added the 'delay time' taken by spamd when running my email inputs (its' actually my filter delay time, but the max diff between the two is about .01 seconds, so it's mostly spamd delay -- my stats for today from ~9:30am are: (n=#emails) n=4513, min=3.27s, max=208.09s, ave=35.16s, mean=27.43s I suppose for RBL's, some of those results are cached in bind as well? I wonder if there's anyway to speed up priming the cache before downloading a bunch of emails (not that I'm off line for that long usually) -- but it's sorta too bad bind doesn't save it's DB on disk on a shutdown, and read it back in after a reboot -- and then expire if needed... Nix wrote: On 1 Aug 2009, Linda Walsh stated: Per Jessen wrote: Not sure about that - AFAICT, it's exactly the same technology. (I haven't done in exhaustive tests though). Supposedly 'Very' different (I hope)... Oh yes. I have a P4 here (2GHz Northwood), and two Nehalems (one 2.6GHz Core i7 with 12Gb RAM and a 2.26GHz L5520 with 24Gb, hello overkill). Compared to the P4s, the Nehalems are *searingly* fast: the performance difference is far higher than I was expecting, and much higher than the clockspeed different would imply. Things the P4 takes half an hour to do, the Nehalems often slam through in a minute or less (!), especially things like compilations that need a lot of cache. Surprisingly, even some non-parallelizable things (like going into a big newsgroup in Gnus) are hugely faster (22 minutes versus 39 seconds: it's a *really* big newsgroup). I suspect the cause is almost entirely the memory interface and cache. The Northwood has, what, 512Kb L2 cache? The Nehalem has 256Kb... but it has 8Mb of shared L3 cache, and an enormously faster memory interface (the FSB is dead, Intel has a decent competitor to HyperTransport at last). I was an AMD fan for years, but the Nehalem has won me back to Intel again. 1) You can't turn it off in the BIOS This depends on the BIOS. Both of mine provide the option: I benched it and found a 40% speedup for the things I do leaving it on. 2) claim of benefit from increased cache (FALSE), (have older 2x2 Dual Cor
Re: message was forwarded more than the maximum allowed times
On Fri, 2009-08-07 at 15:47 -0700, Evan Platt wrote: > At 03:27 PM 8/7/2009, you wrote: > >I sent a spam report to abuse and postmaster at webexmailer.com last > >night. This morning I received this failure message for both abuse and > >postmaster: > > > >Unable to deliver message to the following recipients, because the > >message was forwarded more than the maximum allowed times. This could > >indicate a mail loop. > > > > > > >I assume the failure was due to the fact that it bounced around so many > >servers at webex but I fail to see the reasoning for this other than the > >fact that doing this causes failures of reports to their abuse and > >postmaster addresses. > > > >Any enlightenment would be appreciated > > This doesn't have anything to do with spamassassin, but looks like a > configuration on the receiving server's side. I don't think ithe > message indicates a issue with bouncing around servers, but > 'forwarding' - ie mail to postmas...@example.com goes to > i...@example.com which goes to techsupp...@example.com which goes to > st...@example.com which goes to but that again has nothing to do > with spamassassin and is something only the person who runs the mail > server for webexmailer could answer. > Thank you Evan, yes, this doesn't have anything to do with SA, however the smartest people I know dealing with mail are right here. I've sent a message to the tech contact at webex.com and will see what happens. Thread ended. Thanks Chris -- KeyID 0xE372A7DA98E6705C signature.asc Description: This is a digitally signed message part
Re: Geniuses at expedia.com
On 8/6/09 11:44 PM, Henrik K wrote: Pretty good here.. OVERALLSPAM% HAM% S/ORANK SCORE NAME 024942799550.238 0.000.00 (all messages) 0.676 2.7504 0.02880.990 0.000.01 T_TAB_IN_FROM For some reason all the FPs appeared to come through MailScanner. Seems it liked to delimit all headers with tabs? Wonder what was that.. maybe some old version bug. Mind if I put that in SA mass checks? Good to see other's stats. Go ahead, its all yours. This was a real hitter a while back; it has slowed somewhat of late. On 8/7/09 4:45 AM, Mark Martinec wrote: > < header L_TAB_IN_FROM ALL =~ /\nFrom:\t/s > -> header L_TAB_IN_FROM From:raw =~ /^\t/m > Thanks Mark. Much nicer. -- Mike
Re: message was forwarded more than the maximum allowed times
At 03:27 PM 8/7/2009, you wrote: I sent a spam report to abuse and postmaster at webexmailer.com last night. This morning I received this failure message for both abuse and postmaster: Unable to deliver message to the following recipients, because the message was forwarded more than the maximum allowed times. This could indicate a mail loop. I assume the failure was due to the fact that it bounced around so many servers at webex but I fail to see the reasoning for this other than the fact that doing this causes failures of reports to their abuse and postmaster addresses. Any enlightenment would be appreciated This doesn't have anything to do with spamassassin, but looks like a configuration on the receiving server's side. I don't think ithe message indicates a issue with bouncing around servers, but 'forwarding' - ie mail to postmas...@example.com goes to i...@example.com which goes to techsupp...@example.com which goes to st...@example.com which goes to but that again has nothing to do with spamassassin and is something only the person who runs the mail server for webexmailer could answer.
message was forwarded more than the maximum allowed times
I sent a spam report to abuse and postmaster at webexmailer.com last night. This morning I received this failure message for both abuse and postmaster: Unable to deliver message to the following recipients, because the message was forwarded more than the maximum allowed times. This could indicate a mail loop. Reporting-MTA: dns;gw1.webex.com Received-From-MTA: dns;mx1.webex1.iphmx.com Arrival-Date: Thu, 6 Aug 2009 20:03:02 -0700 Final-Recipient: rfc822;ab...@webexmailer.com Action: failed Status: 4.4.6 Looking at the headers of the returned message I see: Received: from gw1.webex.com ([64.68.122.208]) by mx1.webex1.iphmx.com with SMTP; 06 Aug 2009 20:03:02 -0700 Received: from mx1.webex1.iphmx.com ([74.201.116.32]) by gw1.webex.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 6 Aug 2009 19:52:05 -0700 X-ironport-av: E=Sophos;i="4.43,338,1246863600"; d="scan'208";a="28444052" Received: from gw2.webex.com ([64.68.122.209]) by mx1.webex1.iphmx.com with SMTP; 06 Aug 2009 19:52:05 -0700 Received: from mx1.webex1.iphmx.com ([74.201.116.32]) by gw2.webex.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 6 Aug 2009 19:42:04 -0700 X-ironport-av: E=Sophos;i="4.43,338,1246863600"; d="scan'208";a="28443197" Received: from gw2.webex.com ([64.68.122.209]) by mx1.webex1.iphmx.com with SMTP; 06 Aug 2009 19:42:04 -0700 Received: from mx1.webex1.iphmx.com ([74.201.116.84]) by gw2.webex.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 6 Aug 2009 19:32:00 -0700 X-ironport-av: E=Sophos;i="4.43,338,1246863600"; d="scan'208";a="22725559" Received: from gw1.webex.com ([64.68.122.208]) by mx1.webex1.iphmx.com with SMTP; 06 Aug 2009 19:32:00 -0700 Received: from mx1.webex1.iphmx.com ([74.201.116.84]) by gw1.webex.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 6 Aug 2009 19:21:03 -0700 X-ironport-av: E=Sophos;i="4.43,338,1246863600"; d="scan'208";a="22725033" Received: from gw2.webex.com ([64.68.122.209]) by mx1.webex1.iphmx.com with SMTP; 06 Aug 2009 19:21:03 -0700 Received: from mx1.webex1.iphmx.com ([74.201.116.84]) by gw2.webex.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 6 Aug 2009 19:11:01 -0700 X-ironport-av: E=Sophos;i="4.43,338,1246863600"; d="scan'208";a="22724341" Received: from gw2.webex.com ([64.68.122.209]) by mx1.webex1.iphmx.com with SMTP; 06 Aug 2009 19:11:02 -0700 Received: from mx1.webex1.iphmx.com ([74.201.116.84]) by gw2.webex.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 6 Aug 2009 19:01:00 -0700 X-ironport-av: E=Sophos;i="4.43,338,1246863600"; d="scan'208";a="22723679" Received: from gw2.webex.com ([64.68.122.209]) by mx1.webex1.iphmx.com with SMTP; 06 Aug 2009 19:01:01 -0700 Received: from mx1.webex1.iphmx.com ([74.201.116.84]) by gw2.webex.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 6 Aug 2009 18:50:59 -0700 X-ironport-av: E=Sophos;i="4.43,338,1246863600"; d="scan'208";a="22723131" Received: from gw2.webex.com ([64.68.122.209]) by mx1.webex1.iphmx.com with SMTP; 06 Aug 2009 18:51:00 -0700 Received: from mx1.webex1.iphmx.com ([74.201.116.32]) by gw2.webex.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 6 Aug 2009 18:40:56 -0700 X-ironport-av: E=Sophos;i="4.43,337,1246863600"; d="scan'208";a="28437390" Received: from gw2.webex.com ([64.68.122.209]) by mx1.webex1.iphmx.com with SMTP; 06 Aug 2009 18:40:56 -0700 Received: from mx1.webex1.iphmx.com ([74.201.116.32]) by gw2.webex.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 6 Aug 2009 18:40:56 -0700 X-ironport-av: E=Sophos;i="4.43,337,1246863600"; d="scan'208";a="28437388" Received: from gw1.webex.com ([64.68.122.208]) by mx1.webex1.iphmx.com with SMTP; 06 Aug 2009 18:40:56 -0700 Received: from mx1.webex1.iphmx.com ([74.201.116.84]) by gw1.webex.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 6 Aug 2009 18:30:55 -0700 X-ironport-av: E=Sophos;i="4.43,337,1246863600"; d="scan'208";a="22720385" Received: from gw1.webex.com ([64.68.122.208]) by mx1.webex1.iphmx.com with SMTP; 06 Aug 2009 18:30:55 -0700 Received: from mx1.webex1.iphmx.com ([74.201.116.32]) by gw1.webex.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 6 Aug 2009 18:20:20 -0700 X-ironport-av: E=Sophos;i="4.43,337,1246863600"; d="scan'208";a="28435853" Received: from gw1.webex.com ([64.68.122.208]) by mx1.webex1.iphmx.com with SMTP; 06 Aug 2009 18:20:21 -0700 Received: from mx1.webex1.iphmx.com ([74.201.116.32]) by gw1.webex.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 6 Aug 2009 18:20:20 -0700 X-ironport-av: E=Sophos;i="4.43,337,1246863600"; d="scan'208";a="28435847" Received: from gw2.webex.com ([64.68.122.209]) by mx1.webex1.iphmx.com with SMTP; 06 Aug 2009 18:20:21 -0700 Received: from mx1.webex1.iphmx.com ([74.201.116.84]) by gw2.webex.com with Microsoft SMTPSVC(6.0.3790.3959); Thu, 6 Aug 2009 18:20:19 -0700 X-ironport-av: E=Sophos;i="4.43,337,1246863600"; d="scan'208";a="22719802" Received: from gw1.webex.com ([64.68.122.208]) by mx1.webex1.iphmx.com with SMTP; 06 Aug 2009 18:20:20 -0700 Received: from mx1.webex1.iphmx.com ([74.201.116.32]) by gw1.webex.com with Microsoft SMTPSVC(6.0.
Re: OT: Nehelam's New HT ability....
On 1 Aug 2009, Linda Walsh stated: > > > Per Jessen wrote: >> Not sure about that - AFAICT, it's exactly the same technology. (I >> haven't done in exhaustive tests though). > > > Supposedly 'Very' different (I hope)... Oh yes. I have a P4 here (2GHz Northwood), and two Nehalems (one 2.6GHz Core i7 with 12Gb RAM and a 2.26GHz L5520 with 24Gb, hello overkill). Compared to the P4s, the Nehalems are *searingly* fast: the performance difference is far higher than I was expecting, and much higher than the clockspeed different would imply. Things the P4 takes half an hour to do, the Nehalems often slam through in a minute or less (!), especially things like compilations that need a lot of cache. Surprisingly, even some non-parallelizable things (like going into a big newsgroup in Gnus) are hugely faster (22 minutes versus 39 seconds: it's a *really* big newsgroup). I suspect the cause is almost entirely the memory interface and cache. The Northwood has, what, 512Kb L2 cache? The Nehalem has 256Kb... but it has 8Mb of shared L3 cache, and an enormously faster memory interface (the FSB is dead, Intel has a decent competitor to HyperTransport at last). I was an AMD fan for years, but the Nehalem has won me back to Intel again. > 1) You can't turn it off in the BIOS This depends on the BIOS. Both of mine provide the option: I benched it and found a 40% speedup for the things I do leaving it on. > 2) claim of benefit from increased cache (FALSE), (have older 2x2 Dual > Core machine with 4MBxL2 Cache/Dual core. >If you only use 1 Core/CPU, that 4MB L2 cache/Core) It's true that the cache-per-core is the same, but the FSB slows things down a lot. >to use memory faster than 800MHz -- only Quad cores go up to Quick >Connect Speeds that will support fastest memory of 1333MHz (even if >you only have 1 CPU). So you are 'encouraged' to go with >Quad over One of my machines has 1333MHz RAM, but unless I clock it down to 1066MHz I get regular machine check exceptions and random coredumps. Our best guess is that the motherboard on that machine doesn't supply enough power when the RAM is fully populated. > The biggest cool thing about Nehelam is power savings -- they implemented > Celeron's power-step tech in a big way. Quiescent cores crank down their > clocks independently to about 60% of top speed and have efficient sleep > states (I think some cores can be halted, but not sure). Some of their > processors have a 'turbo mode', which will some small amount faster speed > than the speed on the chip label (does that mean the turbo chips are really > faster rated chips...you tell me), Nope, it's much cooler than that. The power management system on the Nehalem is quite nifty (it's got more transistors than a 486 on its own). One of the things it can do is track power consumption and estimate the heat dissipation of different parts of the CPU core over time. All turbo mode does is exploit this to briefly overclock bits of the CPU die which happen to be running cool right now, then downclock them again to stop the die exceeding its rated thermal dissipation figures. This does mean that if you have crappy cooling on your Nehalem, turn off turbo mode... >BUT if fewer cores are used -- say only > 2/4, the turbo boost can be a small amount greater (don't have access That's because it realises that less heat is being dissipated. > (don't know if any is published). If one was to go from their > marketing graphs (HAHAHAHAHA), Turbo for 4 cores is about 10 more, and > if only 2/4 cores are running, it's an additional 10%. So marketing > hype/reality, might mean 1-3% faster? My (admittedly crude) benchmarks ('run a GCC bootstrap out of /tmp under /usr/bin/time') show about 6% for heavily parallelizable stuff, 9% for serial (the same thing without 'make -j'). (So it's quite close to the marketing figures.)
Re: Backscatter.org used as RBL??
> Matus UHLAR - fantomas wrote: >> I've read the "sender callouts" page and I don't see any evidence that it >> mentions the SAV problem. On 07.08.09 15:33, Mike Cardwell wrote: > I went to the front page, and then clicked "Sender Callouts" ... The > very first line says: > > "Sendercallouts (Sender Verify / SAV) - Why it is abusive" > > The second line says: > > "This is for all persons who think SENDER CALLOUTS are viable." > > The third line says: > > "We will explain why we consider sender callouts abusive." > > The rest of the page describes in detail the problems with SAV. > > Yet you can't see that it even mentions the SAV problem? the title (not ) is the only place it mentions SAV. all the rest mentions "sender callouts" which is imho not clear. Especially the part that mentions bidirectional verify, expecting that the provided rcpt will be used for SAV sender (many SAV implementations use mail from:<>) >> I think it mentions the mailing back, not the SAV, >> and I'm interested if the backscatterer.org blacklists IPs with SAV or only >> those that send real mails... > > It does both. The minimal amount of text on the front page couldn't be > clearer about that ... I think it could -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Eagles may soar, but weasels don't get sucked into jet engines.
Re: [sa] Re: RelayCountry Config
On Fri, 2009-08-07 at 13:20 -0400, Charles Gregory wrote: > On Fri, 7 Aug 2009, Karsten Bräckelmann wrote: > >>> char > >>> *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; > >>> main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i >>> c<<=1: > >>> (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; > >>> }}} > >> How did you get line noise from your modem to look so much like perl code? > >> :-) > > The trick is, to catch a chunk that actually is valid C code. ;) > > Okay, so now I'm curious. What *IS* that chunk of code? > Compile and run it - its quite safe, just obfuscated. Martin
OT: Signatures and C code that doesn't look like Perl (was: RelayCountry Config)
On Fri, 2009-08-07 at 13:20 -0400, Charles Gregory wrote: > > > > char > > > > *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; > > > > main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i > > > c<<=1: > > > > (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ > > > > putchar(t[s]);h=m;s=0; }}} > > > > > > How did you get line noise from your modem to look so much like perl > > > code? :-) > > > > The trick is, to catch a chunk that actually is valid C code. ;) > > Okay, so now I'm curious. What *IS* that chunk of code? It is my signature. ;-) More seriously, it is some obfuscated C code I wrote way back for fun. Compiles cleanly. It implements a well-known algorithm, though quite bare-bones with some constraints. I won't mention the algorithm's name, though, not in public. Spoils the fun for those who likes puzzles. ;) -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: [sa] Re: RelayCountry Config
On Fri, 7 Aug 2009, Karsten Bräckelmann wrote: char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}} How did you get line noise from your modem to look so much like perl code? :-) The trick is, to catch a chunk that actually is valid C code. ;) Okay, so now I'm curious. What *IS* that chunk of code? - C
Re: [sa] Re: Backscatter.org used as RBL??
On Fri, 7 Aug 2009, Matus UHLAR - fantomas wrote: I hope those "good" SAV users are also using some good filtering policy (reject machines w/o DNS, machines in blacklists, SPF fails) before they are doing SAV, otherwise they just DoS the victims... (nod) These arguments (on this list :) convinced me to STOP using SAV on my mail server. Yes, a tiny bit more spam gets through, but really, not enough to justify the performance cost on all our legitimate mail. :) - C
Re: Trusted Site
> How do I add a mail server as trusted and score it > negative? > > I need to have mail from a specific site not tagged as > spam. I have the domain name and the IP. > > Thanks, > > Wes whitelist_from_rcvd domain IP
Re: Trusted Site
On Fri, 7 Aug 2009, twofers wrote: How do I add a mail server as trusted and score it negative? ?I need to have mail from a specific site not tagged as spam. I have the domain name and the IP. The best way is to have your MTA recognize mail from that site and not pass it to SA in the first place. Do you know enough about your MTA and glue to configure that? -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- You are in a maze of twisty little protocols, all written by Microsoft. -- 8 days until the 64th anniversary of the end of World War II
Re: Backscatter.org used as RBL??
Matus UHLAR - fantomas wrote: Do you say that backscatterer list contains IPs of servers that do _not_ send backscatter but are doing SAV? Do you have any proofs about that? The proof is on the front page of http://www.backscatterer.org/ in big red letters: "Every IP which backscatters or does sender callouts" I've read the "sender callouts" page and I don't see any evidence that it mentions the SAV problem. I went to the front page, and then clicked "Sender Callouts" ... The very first line says: "Sendercallouts (Sender Verify / SAV) - Why it is abusive" The second line says: "This is for all persons who think SENDER CALLOUTS are viable." The third line says: "We will explain why we consider sender callouts abusive." The rest of the page describes in detail the problems with SAV. Yet you can't see that it even mentions the SAV problem? I think it mentions the mailing back, not the SAV, and I'm interested if the backscatterer.org blacklists IPs with SAV or only those that send real mails... It does both. The minimal amount of text on the front page couldn't be clearer about that ... -- Mike Cardwell - IT Consultant and LAMP developer Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/
Re: RelayCountry Config
> > char > > *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; > > main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i > c<<=1: > > (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; > > }}} > > How did you get line noise from your modem to look so much like perl code? :-) The trick is, to catch a chunk that actually is valid C code. ;) -- char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4"; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
Re: Backscatter.org used as RBL??
On 07.08.09 06:55, Marc Perkel wrote: Oh, please, why html only? >> On 06.08.09 15:37, Marc Perkel wrote: >>> This might be an advanced concept for you but what I meant was - >>> deliberately send spam. Everyone doing sender verification is someone >>> who is trying to BLOCK spam, and therefore are the good guys. I also >>> track SAV calls and I use it as a WHITE list. >Matus UHLAR - fantomas wrote: >> How do you differ between people doing SAV and people sending backscatter? > The backscatter list mixes these so it mixes SAV with people who have > poorly configured rejection system. SAV doesn't go into the DATA phase so > if they do QUIT without DATA then it's SAV. And if they are doing SAV then > they are one of the good guys and get, in my system, NOBL listed. NOBL > means don't blacklist. Yes, but the others on list are those who accept-then-bounce, who should be blocked asap. >> Do you say that backscatterer list contains IPs of servers that do _not_ >> send backscatter but are doing SAV? Do you have any proofs about that? > Actually the history of the backscatter list is that UCEprotect had them > in their regular black list and do to pressure and complaints and false > positives they separated them out. Their UCEProtect lists are better but > still have a lot of false positives. But separating them was a move > forward. > > What they should do is return different codes to indicate what got them on > the list. SAV is not backscatter. So if it is from <> and there is DATA > then it's someone who is sending bad bounce messages to faked sender > addresses. But if there is nod DATA then it's SAV. These should be > processed separately. While I think that SAV is bad thing, I agree that it should be separated, potionally to different list too... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. He who laughs last thinks slowest.
Re: Backscatter.org used as RBL??
> * Matus UHLAR - fantomas : > > On 06.08.09 15:37, Marc Perkel wrote: > > > This might be an advanced concept for you but what I meant was - > > > deliberately send spam. Everyone doing sender verification is someone > > > who is trying to BLOCK spam, and therefore are the good guys. I also > > > track SAV calls and I use it as a WHITE list. > > > > How do you differ between people doing SAV and people sending backscatter? On 07.08.09 15:35, Ralf Hildebrandt wrote: > The former never enter the DATA stage, the latter do. Yes, but this can be done only when we come to the DATA phase, in which case it's very hard to reject without patched mailserver. He called backscatterer the worst blacklist, so I'm curious if he does differ between them somehow, or simply accepts backscatter and whitelists all IPs on backscatter blacklist because "SAV is good". -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Nothing is fool-proof to a talented fool.
Re: Backscatter.org used as RBL??
Marc Perkel wrote: What they should do is return different codes to indicate what got them on the list. SAV is not backscatter. So if it is from <> and there is DATA then it's someone who is sending bad bounce messages to faked sender addresses. But if there is nod DATA then it's SAV. These should be processed separately. Errr, if it's an invalid email address it will never get to the DATA stage, at least on my servers, it's out right rejected with a 553 - Invalid user. How do you tell the difference between SAV and bounce backs in that case ? Rick
Re: Backscatter.org used as RBL??
> Matus UHLAR - fantomas wrote: > >> Do you say that backscatterer list contains IPs of servers that do _not_ >> send backscatter but are doing SAV? Do you have any proofs about that? On 07.08.09 14:37, Mike Cardwell wrote: > The proof is on the front page of http://www.backscatterer.org/ in big > red letters: "Every IP which backscatters or does sender callouts" I've read the "sender callouts" page and I don't see any evidence that it mentions the SAV problem. I think it mentions the mailing back, not the SAV, and I'm interested if the backscatterer.org blacklists IPs with SAV or only those that send real mails... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Despite the cost of living, have you noticed how popular it remains?
Re: Backscatter.org used as RBL??
Matus UHLAR - fantomas wrote: On 06.08.09 15:37, Marc Perkel wrote: This might be an advanced concept for you but what I meant was - deliberately send spam. Everyone doing sender verification is someone who is trying to BLOCK spam, and therefore are the good guys. I also track SAV calls and I use it as a WHITE list. How do you differ between people doing SAV and people sending backscatter? The backscatter list mixes these so it mixes SAV with people who have poorly configured rejection system. SAV doesn't go into the DATA phase so if they do QUIT without DATA then it's SAV. And if they are doing SAV then they are one of the good guys and get, in my system, NOBL listed. NOBL means don't blacklist. The whole point of using backscatterer BL was to block bounces from machines that send much of them, e. g. are using accept-then-bounce method. (well, someone may want to block all mail from such machines) Do you say that backscatterer list contains IPs of servers that do _not_ send backscatter but are doing SAV? Do you have any proofs about that? I hope those "good" SAV users are also using some good filtering policy (reject machines w/o DNS, machines in blacklists, SPF fails) before they are doing SAV, otherwise they just DoS the victims... Actually the history of the backscatter list is that UCEprotect had them in their regular black list and do to pressure and complaints and false positives they separated them out. Their UCEProtect lists are better but still have a lot of false positives. But separating them was a move forward. What they should do is return different codes to indicate what got them on the list. SAV is not backscatter. So if it is from <> and there is DATA then it's someone who is sending bad bounce messages to faked sender addresses. But if there is nod DATA then it's SAV. These should be processed separately.
Re: Backscatter.org used as RBL??
Matus UHLAR - fantomas wrote: Do you say that backscatterer list contains IPs of servers that do _not_ send backscatter but are doing SAV? Do you have any proofs about that? The proof is on the front page of http://www.backscatterer.org/ in big red letters: "Every IP which backscatters or does sender callouts" -- Mike Cardwell - IT Consultant and LAMP developer Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/
Re: Backscatter.org used as RBL??
* Matus UHLAR - fantomas : > On 06.08.09 15:37, Marc Perkel wrote: > > This might be an advanced concept for you but what I meant was - > > deliberately send spam. Everyone doing sender verification is someone > > who is trying to BLOCK spam, and therefore are the good guys. I also > > track SAV calls and I use it as a WHITE list. > > How do you differ between people doing SAV and people sending backscatter? The former never enter the DATA stage, the latter do. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Backscatter.org used as RBL??
On 06.08.09 15:37, Marc Perkel wrote: > This might be an advanced concept for you but what I meant was - > deliberately send spam. Everyone doing sender verification is someone > who is trying to BLOCK spam, and therefore are the good guys. I also > track SAV calls and I use it as a WHITE list. How do you differ between people doing SAV and people sending backscatter? The whole point of using backscatterer BL was to block bounces from machines that send much of them, e. g. are using accept-then-bounce method. (well, someone may want to block all mail from such machines) Do you say that backscatterer list contains IPs of servers that do _not_ send backscatter but are doing SAV? Do you have any proofs about that? I hope those "good" SAV users are also using some good filtering policy (reject machines w/o DNS, machines in blacklists, SPF fails) before they are doing SAV, otherwise they just DoS the victims... -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Remember half the people you know are below average.
Trusted Site
How do I add a mail server as trusted and score it negative? I need to have mail from a specific site not tagged as spam. I have the domain name and the IP. Thanks, Wes
Re: Geniuses at expedia.com
< header L_TAB_IN_FROM ALL =~ /\nFrom:\t/s -> header L_TAB_IN_FROM From:raw =~ /^\t/m Mark
Re: RelayCountry Config
On Fri, 7 Aug 2009 00:46:46 -0400 MySQL Student wrote: > Hi, > > > I find ordinary header and meta rules are all I need: > > > > http://pastebin.com/f5e5232d1 > > Among those rules you have: > > meta RELAYCOUNTRY_MED ! RELAYCOUNTRY_HIGH && ( > __RELAYCOUNTRY_AF || __RELAYCOUNTRY_AS || __RELAYCOUNTRY_EU_S || > __RELAYCOUNTRY_OC_S || __RELAYCOUNTRY_AM_S ) > > It's probably hard to read, but doesn't this exclude the US? > RELAYCOUNTRY_AM_S are all the Americas except US and CA. If I > understand correctly, this says NOT RELAYCOUNTRY_HIGH and all > countries except US and CA, which means that RELAYCOUNTRY_MED would > trigger on all US and CA relays. ! A && B = (! A) && B