Re: spams to abuse@ id
On tir 25 aug 2009 07:58:37 CEST, ram wrote I am getting a lot of pill spams on the abuse@ ids yes, spammers are ignorants, track sender ip, and whois network, block in firewall just make sure network is not dnswl or other ham ips in there ranges else fight sender forgies in mta, and only accept spf pass, if sender domain is not with spf record count how many ham mails is comming from this domain, if none, then domain blacklist this sender, open again if there is spf later this is basicly how i fight it -- xpoint
Re: spams to abuse@ id
On Tue, 2009-08-25 at 08:06 +0200, Benny Pedersen wrote: else fight sender forgies in mta, and only accept spf pass, if sender domain is not with spf record count how many ham mails is comming from this domain, if none, then domain blacklist this sender, open again if there is spf later Interesting quote regarding SPF and those that advocate it: Except for the special case of bulk mail sender authentication by inbox providers, no one with non-trivial operational responsibilities has paid attention to SPF for several years. At this late date, advocating SPF for anything except whitelist authentication, ridicule, or an object lesson in letting marketing and personality cult outweigh reality is trolling or proof of willful ignorance. Vernon Schryverv...@rhyolite.com (NANAE this very morning, 25th Aug 2009)
Re: spams to abuse@ id
On Tue, 2009-08-25 at 11:28 +0530, ram wrote: I am getting a lot of pill spams on the abuse@ ids I had thought spammers would not really be that naive. Usually anyone sitting at the abuse@ helpdesk is atleast smart enough to know not to respond to these fakes They are just creating a datafeed for my blacklists and uri-lists Only thing is that the real purpose of having an un-filtered abuse address is getting defeated if overwhelmed with spams We get loads of spam at our abuse and postmaster addresses. However, we use SA to score them, and our mail client (evolution) filters them into separate folders depending on how 'spammy' they are. As such most genuine mail is in the main inbox, all other mail is in one of the 'spam' folders (we only have 2 anyway; those scoring 8-18, and those scoring over 18). It makes it manageable. John. -- --- John Horne, University of Plymouth, UK Tel: +44 (0)1752 587287 E-mail: john.ho...@plymouth.ac.uk Fax: +44 (0)1752 587001
Re: Spams about illegal underage undressings
On Mon, Aug 24, 2009 at 12:54:08PM -0700, Evan Platt wrote: At 12:48 PM 8/24/2009, you wrote: Lately I have been receiving quite a bit of spams that promote films of the most indecent kind, involving persons of minor age. Examples are here: http://igor.chudov.com/tmp/spam009.txt By looking at those messages, I would expect them to score higher on the spamminess scale. Would anyone comment about this. I run Ubuntu Jaunty on this mailserver. Forbidden You don't have permission to access /tmp/spam009.txt on this server. Oops, I fixed permissions i
Re: Spams about illegal underage undressings
On Tue, 2009-08-25 at 07:21 -0500, Igor Chudov wrote: On Mon, Aug 24, 2009 at 12:54:08PM -0700, Evan Platt wrote: At 12:48 PM 8/24/2009, you wrote: Lately I have been receiving quite a bit of spams that promote films of the most indecent kind, involving persons of minor age. Examples are here: http://igor.chudov.com/tmp/spam009.txt By looking at those messages, I would expect them to score higher on the spamminess scale. Would anyone comment about this. SpamAssassin is not particularly a porn filter. It is designed to be a spam filter. you might start with 70_sare_adult.cf to make a rule to hit these, but it will take a bit of work. Freemail_from and L_UNVERIFIED_GMAIL would have hit these, adding 3 points for a total of 5. My L_UNVERIFIED_GMAIL rule (copied shamelessly from Mark Martinec): header __L_ML1 Precedence =~ m{\b(list|bulk)\b}i header __L_ML2 exists:List-Id header __L_ML3 exists:List-Post header __L_ML4 exists:Mailing-List header __L_HAS_SNDR exists:Sender meta __L_VIA_ML__L_ML1 || __L_ML2 || __L_ML3 || __L_ML4 || __L_HAS_SNDR header __L_FROM_GMAIL From:addr =~ m...@gmail\.com$}i meta L_UNVERIFIED_GMAIL !DKIM_VERIFIED __L_FROM_GMAIL !__L_VIA_ML priority L_UNVERIFIED_GMAIL 500 scoreL_UNVERIFIED_GMAIL 2.5 -- Daniel J McDonald, CCIE # 2495, CISSP # 78281, CNX www.austinenergy.com signature.asc Description: This is a digitally signed message part
header eval rules on 3.2.5 strip out a literal 0
FN on these three rules: (so how do I write a rule to match?) header __ST_ISMMS exists:X-MMS-Message-Type will also FN on THIS rule: header __ST_ISMMS X-MMS-Message-Type =~ /./ and FN on this rule: header __ST_ISMMS X-MMS-Message-Type =~ /0/ if header X-MMS-Message-Type: 0 (seems eval tests think a literal zero is NULL?) all three work fine on this header: X-MMS-Message-Type: 1 (see bug https://issues.apache.org/SpamAssassin/show_bug.cgi?id=6184 -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com _
no bayes in spamc -R
Hi, when testing spam with spamc -R i dont see any bayes rating. I cant remember seeing any _ever_. Does that mean bayes has no rating, or is my spamc broken?
Re: header eval rules on 3.2.5 strip out a literal 0
Michael, FN on these three rules: (so how do I write a rule to match?) header __ST_ISMMS exists:X-MMS-Message-Type will also FN on THIS rule: header __ST_ISMMS X-MMS-Message-Type =~ /./ and FN on this rule: header __ST_ISMMS X-MMS-Message-Type =~ /0/ if header X-MMS-Message-Type: 0 (seems eval tests think a literal zero is NULL?) all three work fine on this header: X-MMS-Message-Type: 1 Fixed in 3.3.0: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5965 Mark
Re: header eval rules on 3.2.5 strip out a literal 0
Mark Martinec wrote: Fixed in 3.3.0: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5965 guess 3.3.0 is due out so soon that this won't be backported to 3.2.6? would that patch work on 3.2.5? (giving me an excuse for another port bump for SA?) Mark -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com _
Re: header eval rules on 3.2.5 strip out a literal 0
Michael, Mark Martinec wrote: Fixed in 3.3.0: https://issues.apache.org/SpamAssassin/show_bug.cgi?id=5965 guess 3.3.0 is due out so soon that this won't be backported to 3.2.6? would that patch work on 3.2.5? (giving me an excuse for another port bump for SA?) The posted patch will probably work for 3.2.5, but is more extensive than necessary, and does not cover further cases discovered later. Also (not directly related, but close), handling of 'exists' rule has changed more fundamendally in 3.3, now it really tests for existence of a header field, while previously (3.2.5) it tested for nonempty header field body. That patch does not cover this change. As all these changes were nontrivial and rather extensive, and tested mainly in the 3.3 branch, I don't think it is appropriate for backporting (without careful re-examination), and even less for a minor ports patch. Perhaps a small subset of the patch would do, if anyone wants to invest some time in it. Mark
using external spamassassin server with postfix
Hello, We have a cluster of postfix servers through a load balancer. I would like to set up an external set of spamassassin servers where these postfix servers simply query the spamassassin servers over the network for spam decisions then drop or relay accordingly. This is for outbound email only. I would prefer that spamassassin live outside of these relay servers. Is this possible? Thanks!
Re: using external spamassassin server with postfix
* Terry td3...@gmail.com: Hello, We have a cluster of postfix servers through a load balancer. I would like to set up an external set of spamassassin servers where these postfix servers simply query the spamassassin servers over the network for spam decisions then drop or relay accordingly. This is for outbound email only. I would prefer that spamassassin live outside of these relay servers. Is this possible? Use spamassassin milter http://savannah.nongnu.org/projects/spamass-milt/ Someway like that: spamass-milter - spamc -- NETWORK -- - spamd -- spamassassin Or hook it into amavisd-new and send messages to amavisd-new which hands them over to spamassassin. It you need individual per-recipient settings in spamassassin you get more mileage from using spamassassin without amavisd-new. p...@rick
RE: using external spamassassin server with postfix
We have a cluster of postfix servers through a load balancer. I would like to set up an external set of spamassassin servers where these postfix servers simply query the spamassassin servers over the network for spam decisions then drop or relay accordingly. This is for outbound email only. I would prefer that spamassassin live outside of these relay servers. Is this possible? Thanks! Terry, Are you saying you want the spam processing to be on another computer or do you want to hand the entire email to another cluster to process it. My recommendation is to setup a set of spamassassin servers and then run them through the normal spamc pipe on the postfix server but just specify the remote server to connect to (in our case a load balancer of spamassassin instances). In essence, make the SA processing a remote call. It's easy to do. This leads to a small problem through if you are using bayes. You will probably want to use bayes via MySql and then use a shared MySql server, otherwise they will quickly get out of sync. Our environment Postfix (A) -- HANDOFF ClamAV (B) -- HANDBACK Postfix (A) -- PIPE to spamc -- Postfix - DEST WHERE: spamc -u filter -d ip address of remote sa cluster/lb This will take all of the load off the postfix server. Gary
Re: using external spamassassin server with postfix
On Tue, Aug 25, 2009 at 3:35 PM, Gary Smithgary.sm...@holdstead.com wrote: We have a cluster of postfix servers through a load balancer. I would like to set up an external set of spamassassin servers where these postfix servers simply query the spamassassin servers over the network for spam decisions then drop or relay accordingly. This is for outbound email only. I would prefer that spamassassin live outside of these relay servers. Is this possible? Thanks! Terry, Are you saying you want the spam processing to be on another computer or do you want to hand the entire email to another cluster to process it. My recommendation is to setup a set of spamassassin servers and then run them through the normal spamc pipe on the postfix server but just specify the remote server to connect to (in our case a load balancer of spamassassin instances). In essence, make the SA processing a remote call. It's easy to do. This leads to a small problem through if you are using bayes. You will probably want to use bayes via MySql and then use a shared MySql server, otherwise they will quickly get out of sync. Our environment Postfix (A) -- HANDOFF ClamAV (B) -- HANDBACK Postfix (A) -- PIPE to spamc -- Postfix - DEST WHERE: spamc -u filter -d ip address of remote sa cluster/lb This will take all of the load off the postfix server. Gary Very cool. I think that's exactly what we want. How is the handoff to clamav handled? I would probably want that to be on the external server too.
RE: using external spamassassin server with postfix
Very cool. I think that's exactly what we want. How is the handoff to clamav handled? I would probably want that to be on the external server too. Here you go. Smtp, well, that should be obvisous. Anyway, it' hands it off to [IP]:PORT (clamsmtpd) which will then call back on 9993. 9993 will then hand it off to the spamassassin PIPE, which will then call the /etc/postfix/spamassassin-filter.sh script. From there it's inject back into postfix to continue on it's way. You do need to make sure you start spamassassin the array with -i 0.0.0.0 -A 0.0.0.0/0 where 0.0.0.0 and 0.0.0.0/0 are your network settings, so as not to allow random access to your SA server. Make sure you have the clamsmtpd to make this work properly. If you are going to go through all of this trouble, I should probably ask are you also running sometype of greylisting as well? /etc/postfix/spamassassin-filter.sh: (tweak the command options to fix your needs). spamc -u filter -d IP | sendmail -i $@ /etc/postfix/master.cf smtp inet n - n - - smtpd -o content_filter=scan:[IP]:PORT -o myhostname=yada 9993 inet n - n - - smtpd -o content_filter=spamassassin:dummy -o smtpd_recipient_restrictions=permit_mynetworks,reject_unauth_destination spamassassin unix - n n - 32 pipe flags=Rq user=filter argv=/etc/postfix/spamassassin-filter.sh -f ${sender} -- ${recipient} That's all I can think of right now. There's probably more.
Re: no bayes in spamc -R
On Tue, 2009-08-25 at 15:07 +0200, a...@exys.org wrote: when testing spam with spamc -R i dont see any bayes rating. I cant remember seeing any _ever_. Do you see BAYES_xx rules hitting, if you are *not* using the -R switch? Does that mean bayes has no rating, or is my spamc broken? Sounds to me like you (a) did not train sufficient spam and ham for Bayes to kick in, (b) disabled Bayes, or (c) trained as another user than is doing the checks. spamc isn't really involved here, at least not concerning Bayes or not. That is entirely up to spamd, your site-wide and user preferences and the amount of mail trained -- for the user calling spamc to do the check. -- char *t=\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4; main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;il;i++){ i%8? c=1: (c=*++x); c128 (s+=h); if (!(h=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}
lottery message scored hammy by bayes
email with this content: CONGRATULATION YOUR EMAIL ADDRESS HAS WON YOU THE 2010 FIFA WORLDCUP LOTTER= Y OPEN THE ATTACHMENT AND VIEW THE PROFILE OF YOUR WINNING FUND=2C ALSO CON= TACT YOUR CLAIM AGENT received these scores X-Spam-testscores: BAYES_00=-2.599,HTML_MESSAGE=0.001,MISSING_HEADERS=5.7, SUBJ_ALL_CAPS=3.1,UPPERCASE_75_100=1.528 Does this indicate that bayes needs tuning/learning? Thank you
Re: lottery message scored hammy by bayes
On Tue, 25 Aug 2009, Dennis German wrote: email with this content: CONGRATULATION YOUR EMAIL ADDRESS HAS WON YOU THE 2010 FIFA WORLDCUP LOTTER= Y OPEN THE ATTACHMENT AND VIEW THE PROFILE OF YOUR WINNING FUND=2C ALSO CON= TACT YOUR CLAIM AGENT received these scores X-Spam-testscores: BAYES_00=-2.599,HTML_MESSAGE=0.001,MISSING_HEADERS=5.7, SUBJ_ALL_CAPS=3.1,UPPERCASE_75_100=1.528 Does this indicate that bayes needs tuning/learning? Can you paste the output from sa-learn --dump magic ? It probably indicates that Bayes has been mistrained - somebody is training spammy messages as ham. How do you do your Bayes training? Autolearning, or purely manual, or some combination? How many messages are getting inappropriate Bayes scores? If a lot are, you'll probably want to turn off autolearning (if you're using it) until you analyze the problem. You may need to wipe your Bayes database and start fresh if the problem is bad enough. If you're using autolearning, what are your learning thresholds? If you're manually training, do you keep your corpora so that you can review and correct errors? If so, review your ham corpora and see if any spams have crept in - and if so, retrain them as spam, SA will forget that they were hammy. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- If someone has a gun and is trying to kill you, it would be reasonable to shoot back with your own gun. -- the Dalai Lama, May 15, 2001 --- Today: the 1930th anniversary of the destruction of Pompeii
sa: lottery message scored hammy by bayes:salearn --dump magin
sa-learn --dump magic config: could not find site rules directory 0.000 0 3 0 non-token data: bayes db version 0.000 0 262297 0 non-token data: nspam 0.000 0 24621 0 non-token data: nham 0.000 0 142776 0 non-token data: ntokens 0.000 0 1246871454 0 non-token data: oldest atime 0.000 0 1251249448 0 non-token data: newest atime 0.000 0 1251218718 0 non-token data: last journal sync atime 0.000 0 1249634620 0 non-token data: last expiry atime 0.000 02764800 0 non-token data: last expire atime delta 0.000 0 65002 0 non-token data: last expire reduction count
Re: lottery message scored hammy by bayes
Hi, If you're using autolearning, what are your learning thresholds? What do you recommend for thresholds? I'm considering using autolearning, but very concerned about corrupting the database. I think I would use something like +15 for spam. There are FNs on occasion in the 2.x range with low bayes numbers (or BAYES_50) that I wouldn't want to be tagged as ham. Should that be a concern? Even mail that has been whitelisted could also contain spam, so would a ham threshold of like -100 work, or present the same problem? Thanks, Alex
Re: lottery message scored hammy by bayes
On ons 26 aug 2009 02:59:06 CEST, Dennis German wrote X-Spam-testscores: BAYES_00=-2.599,HTML_MESSAGE=0.001,MISSING_HEADERS=5.7, SUBJ_ALL_CAPS=3.1,UPPERCASE_75_100=1.528 Does this indicate that bayes needs tuning/learning? if you want bayes to know its spam yes, remember to train every email as spam not only this msg if you get more then one, the more spam you get the better bayes know you dont want it to be ham in bayes same goes for ham the other way around, but dont train to much if msgs is unsure, if unsire do it anyway :) missing headers seems bad, are you sure the msg is full rfc822 ? -- xpoint