RE: Joe-job blowback
On man 31 aug 2009 23:11:14 CEST, Kevin Miller wrote to a bunch of Russian recipients on servers that don't bother to check SPF, with my users address in the from field. The Russian servers then send NDRs for non-existant users on their servers. Rather than reject at the handshake, they're apparently accepting the spam then bouncing it. block sender ip in mta for this mails, there is no point in spam scanning bounces anyway when the remote server did a very fine job of spam scanning and bounce spam, you are not alone on this problem, if more mta setups checks spf in mta, there would be less bounces to forged senders what mta is used on the remote ?, and is there sign of something going bad with qoutas ? its should really be made a howto run a mta for dummies :) -- xpoint
Re: Porn-portal spammers
On tir 01 sep 2009 01:10:06 CEST, LuKreme wrote I used to score mail from hotmail at 3.0... might be time to do that again. if spf_pass yes :-) reject neotral and softfail for hotmail.com reduce it nicely here without reject valid mail from hotmail, oh yes there is still spam sent from hotmail that gets pass, but then its surely more easy to complain it was not me -- xpoint
Re: 3.3.0 alpha 2 on production mail servers / clusers ???
Alex, Do we have an idea of a timeline for the next release and/or production release currently? Not a fixed date yet, but we are getting there, the light at the end of a tunnel is getting bright. No problems with stability, it just would be nice to finish some remaining details, and The Great Scoring computation still needs to be done. How about dependencies? What modules will need to be updated? - minimum required version of ExtUtils::MakeMaker is 6.17 - now required modules: Time::HiRes, NetAddr::IP, Archive::Tar - minimal version of Mail::DKIM is 0.31 (preferred 0.36_5 or later) (did I miss anything?) Will perl-5.8 work okay? - preferred versions of perl are 5.8.8, 5.8.9, and 5.10.0 or later (of these three the 5.8.9 appears to be the most buggy) - support for versions of perl 5.6.* is being gradually revoked (may still work, but no promises and no support) How about for use with amavis? Will I need to upgrade that? Some of the new features are only available with recent versions of amavisd. Specifically: - TIMING-SA reports in the log (at log level 2) are available since amavisd-new-2.6.0; - passing of truncated large mail to SpamAssassin without breaking DKIM signature results is available since 2.6.3 - with version amavisd-new-2.6.2 and older the following change is necessary: - my($data_representation) = 'GLOB'; # pass data to SA as ARRAY or a GLOB + my($data_representation) = 'ARRAY'; A list of the top five best new features would also be great! *salivates* Here is my personal choice (amavis and DKIM -centric, sorry): - improved error detection and reporting - support for ADSP (with manual overrides) in a DKIM plugin (deals with phishing on domains like eBay, PayPal, amazon.com, ...) - ability to check a truncated long message without breaking DKIM signatures - timing breakdown reports - much improved IPv6 support - avoid Perl 5.8.9 and 5.10.0 compiler crashing when compiling many rules on FreeBSD (smaller threads stack) (ok, that's six) I'm trying to anticipate what I can do ahead of time to get it into place as soon as possible. With amavisd-new 2.6.3 it should be fine. Here is my attempt at compiling release notes for SpamAssassin 3.3 from a SVN change log. I left out changes to infrastructure, trivial changes and details on rule changes. Please say so if something important was left out. SpamAssassin 3.3.0 RELEASE NOTES --- DRAFT / UNOFFICIAL COMPATIBILITY WITH 3.2.5 - rules are no longer distributed with the package, but installed by sa-update - either automatically fetched from the network (preferably), or from a tar archive, which is available for downloading separately - minimum required version of ExtUtils::MakeMaker is 6.17 - now required modules: Time::HiRes, NetAddr::IP, Archive::Tar - minimal version of Mail::DKIM is 0.31 (preferred 0.36_5 or later) - no longer used modules: Mail::DomainKeys, Mail::SPF::Query - support for versions of perl 5.6.* is being gradually revoked (may still work, but no promises and no support) - preferred versions of perl are 5.8.8, 5.8.9, and 5.10.0 or later (of these three the 5.8.9 appears to be the most buggy) BUILDING AND PACKAGING - rules are no longer distributed with the package, but installed by sa-update - simplify Makefile.PL and fix a bug in DESTDIR support by increasing the minimum ExtUtils::MakeMaker version required to 6.17 - include check_whitelist and check_spamd in distribution; now called 'sa-awl' and 'sa-check_spamd' WORKAROUNDS TO PERL BUGS AND LIMITATIONS - let the Check.pm plugin produce smaller chunks of source code from rules (60 kB) to avoid Perl compiler crashing on exceeding stack size - localize $1, $2, etc at several places, avoiding taint issue from propagating - avoid Perl I/O bug by replacing line-by-line reading with read() where suitable, or play down the EBADF status in other places and only report it as dbg instead of a die - while also providing a little speedup (10..25%) on reading a message - new sub Message::split_into_array_of_short_lines to nicely split a text into array of paragraph chunks of sizes between 1 kB and 2 kB, gives less opportunity to runaway regular expressions in rules; fixes bugs: 5717, 5644, 5795, 5486, 5801, 5041 ERROR HANDLING, ROBUSTNESS - improved error detection and reporting: test status of all system calls and I/O operations (or explicitly document where not), and report unexpected failures; - eval calls now check for eval result instead of testing the $@, which is not always reliable; - localized $@ and $! in DESTROY methods to prevent potential calls to eval and calls to system routines in code executed from a DESTROY method from clobbering global variables $@ and $!; - Util::helper_app_pipe_open_unix: contain a failing exec with an eval to prevent additional cases of process cloning. The exec could fail this way when given tainted arguments; - Util::helper_app_pipe_open_unix:
Re: 3.3.0 alpha 2 on production mail servers / clusers ???
On tir 01 sep 2009 07:56:03 CEST, Henrik K wrote I find your post just unnecessary FUD. this is what maillists is for in the first place, no ?, if we just have to agree on all, there is no point being on maillists is sa 3.3 working so great that email sent to you outside maillists is deletede ? well newer mind i can live with this -- xpoint
Re: HTML Image Spam
Casartello, Thomas wrote: Well said :) Thomas E. Casartello, Jr. Staff Assistant - Wireless/Linux Administrator Information Technology Wilson 105A Westfield State College Red Hat Certified Technician (RHCT) -Original Message- From: LuKreme [mailto:krem...@kreme.com] Sent: Monday, August 31, 2009 8:27 PM To: users@spamassassin.apache.org Subject: Re: HTML Image Spam On 31-Aug-2009, at 18:19, Casartello, Thomas wrote: Well my client doesn't load images, and I already check against the zen rbl. The guy who got the message is making a big stink about the fact that he got the message. I figured there's really not that much that can be done. If he wants to get absolutely no spam that is very very easy. Disconnect the Ethernet cord. Short of that, he WILL get spam. SA is good, it's not that good. Nothing is. Or...you could turn off spam filtering for this user to show him just how much spam he's NOT getting. -- Dan Schaefer Web Developer/Systems Analyst Performance Administration Corp.
Re: 3.3.0 alpha 2 on production mail servers / clusers ???
On 31-Aug-2009, at 23:56, Henrik K wrote: On Mon, Aug 31, 2009 at 06:23:22PM -0600, LuKreme wrote: On 30-Aug-2009, at 22:28, Henrik K wrote: On Sun, Aug 30, 2009 at 08:10:23PM -0600, LuKreme wrote: On 29-Aug-2009, at 11:47, R-Elists wrote: have many, or any of you folks on the list migrated your production servers to the 3.3.0 alpha 2 or later release? Er.. hopefully no one did this on a production server. Or if they did they are not really understanding 'alpha' and are willing to lose mail, or worse. How is SA going to lose your mail? Dunno, but it is ALPHA. You know what that means? I specifically means it is not ready to be relied upon. BETA means that it is not ready for production servers, and ALPHA is pre-beta. Yeah normal users obviously should just use stable OS packages Actually, you have that backwards. As a USER I use beta or alpha software all the time. I have no problem with that, it's only my data I am risking. As an admin, however, it's rather irresponsible. And as a CUSTOMER if I saw my mail being marked up by an alpha release of anything, I'd be shopping for another host. -- ...but then a lot of nice things turn bad out there
Re: 3.3.0 alpha 2 on production mail servers / clusers ???
On Tue, Sep 01, 2009 at 06:43:08AM -0600, LuKreme wrote: On 31-Aug-2009, at 23:56, Henrik K wrote: On Mon, Aug 31, 2009 at 06:23:22PM -0600, LuKreme wrote: On 30-Aug-2009, at 22:28, Henrik K wrote: On Sun, Aug 30, 2009 at 08:10:23PM -0600, LuKreme wrote: On 29-Aug-2009, at 11:47, R-Elists wrote: have many, or any of you folks on the list migrated your production servers to the 3.3.0 alpha 2 or later release? Er.. hopefully no one did this on a production server. Or if they did they are not really understanding 'alpha' and are willing to lose mail, or worse. How is SA going to lose your mail? Dunno, but it is ALPHA. You know what that means? I specifically means it is not ready to be relied upon. BETA means that it is not ready for production servers, and ALPHA is pre-beta. Yeah normal users obviously should just use stable OS packages Actually, you have that backwards. As a USER I use beta or alpha software all the time. I have no problem with that, it's only my data I am risking. As an admin, however, it's rather irresponsible. And as a CUSTOMER if I saw my mail being marked up by an alpha release of anything, I'd be shopping for another host. So is using own rules allowed? Other peoples rules? If they are not marked alpha/beta in any way, are they supposed to be production quality? How long of a period must you test them before moving into production? SA is basically a bunch of rules. How long do you have to test a stable SA version before moving into production? Sorry man, but you are still FUD. Whether it's SVN/alpha/beta/gamma/superstable doesn't matter. If it works and is tested before putting in production, it's fine.
Outlook 2007/imap headers
Hello, Almost all my user use Outlook :( In the past with Outlook 2003, I was using an IMAP account to permit my users to transmit their spam with all the headers. But now with Outlook 2007 I lost almost all the headers when the email is moved to an IMAP account. Anyone have found a solution to this great new Outlook feature? Thanks, François
RE: Outlook 2007/imap headers
Hello, Almost all my user use Outlook :( In the past with Outlook 2003, I was using an IMAP account to permit my users to transmit their spam with all the headers. But now with Outlook 2007 I lost almost all the headers when the email is moved to an IMAP account. Anyone have found a solution to this great new Outlook feature? I just moved an email from the Exchange store to my personal IMAP mailbox (Dovecot) using OL2007 but AFAICT I'm not losing any headers. Rob
Re: Outlook 2007/imap headers
Sorry I have forget to specify the other Microsoft tricks ;) You will continu to see all the headers in you Outlook client but if you use another email client or if you go check directly on the email server you will not have all the headers (only a part of it). * I have not test with Exchange account, only pop3. François 2009/9/1 Rob Sterenborg r.sterenb...@netsourcing.nl: Hello, Almost all my user use Outlook :( In the past with Outlook 2003, I was using an IMAP account to permit my users to transmit their spam with all the headers. But now with Outlook 2007 I lost almost all the headers when the email is moved to an IMAP account. Anyone have found a solution to this great new Outlook feature? I just moved an email from the Exchange store to my personal IMAP mailbox (Dovecot) using OL2007 but AFAICT I'm not losing any headers. Rob
Re: Outlook 2007/imap headers
François Rousseau wrote: Sorry I have forget to specify the other Microsoft tricks ;) You will continu to see all the headers in you Outlook client but if you use another email client or if you go check directly on the email server you will not have all the headers (only a part of it). And, exchange 2003, service pack 1 took away the ability for imap to see public folders, didn't it? -- Michael Scheidell, CTO Phone: 561-999-5000, x 1259 *| *SECNAP Network Security Corporation * Certified SNORT Integrator * 2008-9 Hot Company Award Winner, World Executive Alliance * Five-Star Partner Program 2009, VARBusiness * Best Anti-Spam Product 2008, Network Products Guide * King of Spam Filters, SC Magazine 2008 _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.secnap.com/products/spammertrap/ _
Re: Outlook 2007/imap headers
On tir 01 sep 2009 16:18:37 CEST, François Rousseau wrote Almost all my user use Outlook :( why is it sad ?, it can do imap aswell as pop3 In the past with Outlook 2003, I was using an IMAP account to permit my users to transmit their spam with all the headers. okay But now with Outlook 2007 I lost almost all the headers when the email is moved to an IMAP account. moved from imap to imap folder ?, same remote password in one mailbox on server ? if otherwize the user gets mail from pop3 and later move it with imap, then i might say headers will be changed Anyone have found a solution to this great new Outlook feature? dovecot-antispam, and all remote users via imap, it even works with amiga :) dspam add a tag to the body so when reported back as ham or spam, it only need this tag to know original headers and body as learnt in the first place -- xpoint
RE: Porn-portal spammers
if spf_pass yes :-) reject neotral and softfail for hotmail.com reduce it nicely here without reject valid mail from hotmail, oh yes there is still spam sent from hotmail that gets pass, but then its surely more easy to complain it was not me benny, at what stage are you dealing with SPF here? mta? or mta and SA? can you give example config so we can see some clarity on what you are doing in regards to them? - rh
Re: gpgkey failures with sa-update [fixed, thanks]
On Wednesday 19 August 2009, Karsten Bräckelmann wrote: dbg: gpg: found signature made by key 8D25B5E91DAF0F715F60B588DC85341F6C6191E3 [25964] dbg: gpg: key id 6C6191E3 is not release trusted ^^^ You failed to provide the obligatory --gpgkey 6C6191E3 option. Sort of old, revisiting this, but it came up again this morning because I had neglected to add this to my user gene's crontab entry. Tis now. :( But, I had installed all the perl stuff that a spamassassin -D --lint run had complained about, and I just noted in the email sa-update sent me that 3 more bits of perl were on the missing list, and the final piece I can't find in a fedora repo: 32760] dbg: diag: module not installed: Net::Ident ('require' failed) Any idea if this is part of another un-named module or I should install it with cpan??? Yumex is adamant that there is not such a beast. Thanks -- Cheers, Gene There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order. -Ed Howdershelt (Author) The NRA is offering FREE Associate memberships to anyone who wants them. https://www.nrahq.org/nrabonus/accept-membership.asp A list is only as strong as its weakest link. -- Don Knuth
Re: Outlook 2007/imap headers
2009/9/1 Benny Pedersen m...@junc.org: On tir 01 sep 2009 16:18:37 CEST, François Rousseau wrote Almost all my user use Outlook :( why is it sad ?, it can do imap aswell as pop3 In the past with Outlook 2003, I was using an IMAP account to permit my users to transmit their spam with all the headers. okay But now with Outlook 2007 I lost almost all the headers when the email is moved to an IMAP account. moved from imap to imap folder ?, same remote password in one mailbox on server ? if otherwize the user gets mail from pop3 and later move it with imap, then i might say headers will be changed Anyone have found a solution to this great new Outlook feature? dovecot-antispam, and all remote users via imap, it even works with amiga :) dspam add a tag to the body so when reported back as ham or spam, it only need this tag to know original headers and body as learnt in the first place -- xpoint Maybe I was not clear but yes my users use pop3 accounts and move problematic email to one common IMAP account. (in fact one common account by group of users) With Thunderbird and Outlook 2003, the headers was there but not with Outlook 2007. It could be an idea to encapsulated the spam message into another email (report_safe) but I could also juste keep trying to explain to some of my user how to forward an email as an attachment. Thanks, François
RE: Porn-portal spammers
On tir 01 sep 2009 16:55:06 CEST, R-Elists wrote at what stage are you dealing with SPF here? http://www.openspf.org/Software mta? or mta and SA? postfix stage can you give example config so we can see some clarity on what you are doing in regards to them? pypolicyd-spf have commented example config that is easy to follow, in sa i just monitor spf that are not spf pass, if there is some domains add them to pypolicyd-spf (Reject_Not_Pass_Domains) and last whitelist in pypolicyd known forwarders ! -- xpoint
Re: Outlook 2007/imap headers
Michael Scheidell wrote: François Rousseau wrote: Sorry I have forget to specify the other Microsoft tricks ;) You will continu to see all the headers in you Outlook client but if you use another email client or if you go check directly on the email server you will not have all the headers (only a part of it). And, exchange 2003, service pack 1 took away the ability for imap to see public folders, didn't it? I pull spam and ham via IMAP from public folders on an Exchange 2003 server with SP2. Works great, includes all headers. Brent Gardner
RE: Joe-job blowback
Benny Pedersen wrote: On man 31 aug 2009 23:11:14 CEST, Kevin Miller wrote to a bunch of Russian recipients on servers that don't bother to check SPF, with my users address in the from field. The Russian servers then send NDRs for non-existant users on their servers. Rather than reject at the handshake, they're apparently accepting the spam then bouncing it. block sender ip in mta for this mails, there is no point in spam scanning bounces anyway when the remote server did a very fine job of spam scanning and bounce spam, you are not alone on this problem, if more mta setups checks spf in mta, there would be less bounces to forged senders Well, the remote servers didn't do a good job of spam scanning. If they did they woudn't be bouncing it! :-) what mta is used on the remote ?, and is there sign of something going bad with qoutas ? It's not one remote server. That would be too easy. It's dozens. Or more. Botted hosts are sending spam to dozens of Russian ISPs/mail servers. Naturaly there are invalid addresses in there which are bounced to my domain. I use SPF. If the remote servers did as well I'd never see any of this but they don't. its should really be made a howto run a mta for dummies :) Too many dummies running mail servers already. If there wasn't, there wouldn't be a need for spamassassin. :-) ...Kevin -- Kevin MillerRegistered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801fax: (907 586-4500
RE: Joe-job blowback
Karsten Bräckelmann wrote: Please keep list-posts on the list. Yeah, sorry about that. Most lists I'm on I just have to hit reply. Some I have to hit Reply-All. This one seems to vary with each user. I prefer to hit reply and have it go back to the list but not everybody does. I'm sure those wars were fought here long ago. I'll try to remember to check my To: field before sending. On Mon, 2009-08-31 at 16:23 -0800, Kevin Miller wrote: Karsten Bräckelmann wrote: VBounce plugin. Yup, got it enabled. Pretty minimal scoring though. Followed the instructions at http://wiki.apache.org/spamassassin/VBounceRuleset to set it up. Use it to filter / deliver hits into a dedicated folder, rather than attempting to raise the score into oblivion. See 20_vbounce.cf and its docs. Sic. Use the hits for filtering. NOT scoring bounces high. They are not spam, and they are likely to bias your Bayes database, if you treat them as such. $ grep -A 2 procmail 20_vbounce.cf # If you use this, set up procmail or your mail app to spot the # ANY_BOUNCE_MESSAGE rule hits in the X-Spam-Status line, and move # messages that match that to a 'vbounce' folder. Also see quite a lot of related posts in the past by me, how to handle VBounce hits. Thanks, I'll check the archives... Pretty much the above. :) Don't raise the score. Treat the backscatter hitting that rule differently. Hmmm. I see the point about the Bayes issue. Not sure if I can use procmail in this case though, as my mx servers are just gateways. The mail comes in, and is then processed by MailScanner (which calls spamassassin, among other things) and sent to an internal Exchange server. No local mailboxes on the gateways. But I may be able to set up some appropriate rules in MailScanner to accomplish the same thing. I'll ask over on that list... ...Kevin -- Kevin MillerRegistered Linux User No: 307357 CBJ MIS Dept. Network Systems Admin., Mail Admin. 155 South Seward Street ph: (907) 586-0242 Juneau, Alaska 99801fax: (907 586-4500
Re: Outlook 2007/imap headers
Brent Gardner wrote: And, exchange 2003, service pack 1 took away the ability for imap to see public folders, didn't it? I pull spam and ham via IMAP from public folders on an Exchange 2003 server with SP2. Works great, includes all headers. one of our guys just let me know that imap users on Exchange 2007 can't read public folders, I was mistaken (SP1 broke it) http://iss.leeds.ac.uk/news/article/137/exchange_2007-withdrawal_of_public_folder_access_using_imap_client_software Brent Gardner _ This email has been scanned and certified safe by SpammerTrap(r). For Information please see http://www.spammertrap.com _
Re: Outlook 2007/imap headers
Michael Scheidell wrote: And, exchange 2003, service pack 1 took away the ability for imap to see public folders, didn't it? I pull spam and ham via IMAP from public folders on an Exchange 2003 server with SP2. Works great, includes all headers. one of our guys just let me know that imap users on Exchange 2007 can't read public folders, I was mistaken (SP1 broke it) http://iss.leeds.ac.uk/news/article/137/exchange_2007-withdrawal_of_public_folder_access_using_imap_client_software I've recently been writing an application which transfers messages via IMAP into an Exchange 2007 system. One thing I've noticed is that doing an IMAP APPEND, and then fetching the same message with an IMAP FETCH, retrieves a heavily modified version of the message. It seems to do all sorts of weird things to messages, so it may not be appropriate to pull messages out of Exchange 2007 via IMAP to feed into sa-learn. Some examples: It parses the Date header and rewrites it in it's preferred format. It even changes the timezone! It adds a Date header if one was missing. The From/To/Cc headers are parsed and rewritten in Exchanges preferred format. I came across a message with a Subject line of: Subject: Latest Vacancies For =??Q?PhD=92S?=, when I read that one back after uploading it, the entire subject line is empty. Headers named Message-Id are renamed Message-ID. A new Message-ID is added if one doesn't already exist. Line wrapping in headers is messed with too. There's probably loads of other little things. -- Mike Cardwell - IT Consultant and LAMP developer Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/