Re: Understanding the hostKarma Lists

[Warren Togami]

On 09/30/2009 12:18 AM, R-Elists wrote:




Marc,

Could you please decide between the existing JMF rule names
or the above proposed HOSTKARMA names?  It seems opinions are
split here.

Warren




warren,

marc already decided once, please dont give more choices...

you should have thought that out before putting the list in a minor tiz on
it.

  - rh



I'll note that he's the one that said he prefers HOSTKARMA names, 
despite his own Wiki saying JMF.


Warren

Re: Hostkarma: to be or not to be in SA defaults

[Warren Togami]

On 09/30/2009 01:41 AM, Yet Another Ninja wrote:

been following Warren Togami's aggressive lobbying for adding RBLs to
SA's defaults, and I have some questions:

- is it wise to add yet even more lookups to BLs and slow down SA's
already huge amount of DNS lookups.

- is the BL in question (which ever it may be) prepared for sustaining
the global traffic load of millions of default SA setups.

- does the BL have a track record, wide acceptance, safety and
reliability to become a standard in SA?

- shouldn't SA be conservative and deliver *safe* default setups
allowing the end user/admin/whatever decide how far he/she wants to hog
his setup with by querying yet more BLs.

- With all respect for Mark and his efforts: there is a track of one man
operated BLs being DDOS'd to oblivion, operators disappearing, etc.
Should this be weighted as well?

I believe these points should have more weight than arguing about
trivial naming or BL colours



These are good questions.  I am only proposing at this point putting 
this DNSBL into the sandbox so it can be tested against the corpa and we 
can get some real statistics.


Warren Togami
wtog...@redhat.com

Re: Understanding the hostKarma Lists

[Bowie Bailey]

Warren Togami wrote:
> On 09/30/2009 12:18 AM, R-Elists wrote:
>>
>> warren,
>>
>> marc already decided once, please dont give more choices...
>>
>> you should have thought that out before putting the list in a minor
>> tiz on
>> it.
>>
>>   - rh
>>
>
> I'll note that he's the one that said he prefers HOSTKARMA names,
> despite his own Wiki saying JMF.
>
> Warren

I'll put in my vote for RCVD_IN_HOSTKARMA_*

This keeps the RCVD_IN for consistency with the rest of the blacklist
rules and also uses the more easily recognizable Hostkarma name.  If you
add this to the default rules make sure that there is an obvious note in
the release notes for those who already have the rules installed with
the old names.

-- 
Bowie

Re: Hostkarma: to be or not to be in SA defaults

[LuKreme]

On 29-Sep-2009, at 23:41, Yet Another Ninja wrote:

been following Warren Togami's aggressive lobbying for adding RBLs  
to SA's defaults, and I have some questions:


- is it wise to add yet even more lookups to BLs and slow down SA's  
already huge amount of DNS lookups.


Slow down? DNS lookups are one of the fastest things you can do.


--
"There will always be women in rubber flirting with me."

Re: unsubscribe

[LuKreme]

On 29-Sep-2009, at 21:54, Gary Smith wrote:
Didn't we already have this discussion today.  You need to use the  
link in the headers!


Yes, but if he could read your message, he could read the headers,  
right?



--
What the hell's goin' on in the engine room? Were there
monkeys? Some terrifying space monkeys maybe got loose?

Re: unsubscribe

[Dan Schaefer]

On 29-Sep-2009, at 21:54, Gary Smith wrote:
Didn't we already have this discussion today.  You need to use the 
link in the headers!


Yes, but if he could read your message, he could read the headers, right?


Think about it, the people that unsubscribe aren't really interested in 
what you have to say about unsubscribing or the correct place to look 
for the email address. I think a simple reply from one of us with the 
correct email address would suffice.


--
Dan Schaefer
Web Developer/Systems Analyst
Performance Administration Corp.

Re: unsubscribe

[Mike Cardwell]

On 30/09/2009 16:08, Dan Schaefer wrote:


Didn't we already have this discussion today. You need to use the
link in the headers!


Yes, but if he could read your message, he could read the headers, right?


Think about it, the people that unsubscribe aren't really interested in
what you have to say about unsubscribing or the correct place to look
for the email address. I think a simple reply from one of us with the
correct email address would suffice.


If you want to tell somebody how to unsubscribe, please do it off list. 
Why doesn't the list block messages which contain a single "unsubscribe" 
in the body or an empty body with "unsubscribe" in the Subject line? I 
got bored of seeing these on the various lists I'm on so I blackhole 
them at the MTA level. All I see now is the people replying to them to 
say "Here's how you do it". By all means, reply, but there's no need to 
reply to the list.


--
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/

Re: unsubscribe

[Evan Platt]

At 08:28 AM 9/30/2009, you wrote:

If you want to tell somebody how to unsubscribe, please do it off 
list. Why doesn't the list block messages which contain a single 
"unsubscribe" in the body or an empty body with "unsubscribe" in the 
Subject line? I got bored of seeing these on the various lists I'm 
on so I blackhole them at the MTA level. All I see now is the people 
replying to them to say "Here's how you do it". By all means, reply, 
but there's no need to reply to the list.


Because about 90% of the time, someone else will want to unsubscribe too.

And if they see the 'unsubscribe' message, they somehow think that's 
how to unsubscribe.


So, if they see the first request, and then see the message with the 
correct instructions, they may follow it.


But I agree, a better solution is to have the list server 'reject' 
unsubscribe messages. :) 

RE: Understanding the hostKarma Lists

[R-Elists]

 

> 
> I'll note that he's the one that said he prefers HOSTKARMA 
> names, despite his own Wiki saying JMF.
> 
> Warren
> 
> 

Warren,

so noted...

:-)

his wiki and his entries in the SA wiki too...

and this isnt a witch hunt by any means...

you desiring to set it up and run it through the SA sandbox "appears" to be
a great idea in it's "present form"

yet when you brought it up and looked at starting changing naming
conventions and the existing RULE names and asking the person his feelings
and then kinda asking for a public vote etc etc...

i know you get the picture.

even more importantly, YAN brought up other important things in the
"Hostkarma: to be or not to be in SA defaults" thread start...

:-)

i appreciate Perkel's work as much or more than anyone yet i still remember
some time back when he changed some dns hostname stuff without warning
everyone and it made it so all emails checked against his list(s) were
rejected...

;-)doh!

 - rh

Re: Understanding the hostKarma Lists

[Marc Perkel]

R-Elists wrote:

   

  
  
RCVD_HOSTKARMA_BL Black
RCVD_HOSTKARMA_WL White
RCVD_HOSTKARMA_YL Yellow
RCVD_HOSTKARMA_BR Brown

OTOH, I really like these new names.  My brain thinks less 
hard to recognize them.

How do other people feel.  Should we stick to his old names 
with JMF in the Wiki or these new names?

Warren



  
  
please keep the original names using JMF since Perkel chose them and it is
more descriptive of his "domain" and nobody has to change anything from what
they have now (generally)

 - rh


  


Actually I didn't choose them. Someone wrote rules that used those
names and I just copied the code.

Re: Understanding the hostKarma Lists

[Marc Perkel]

I like it.

RCVD_IN_HOSTKARMA_BL
RCVD_IN_HOSTKARMA_WL
RCVD_IN_HOSTKARMA_YL
RCVD_IN_HOSTKARMA_BR

Let's go with it.

Warren Togami wrote:

On 09/29/2009 08:56 PM, Marc Perkel wrote:


Could you please decide between the existing JMF rule names or the
above proposed HOSTKARMA names? It seems opinions are split here.

Warren



If there is a lack of consensus then I appoint you Warren to make the
final call. I personally have no strong preference. I do prefer
something with HOSTKARMA in it rather to JEF or JMF.


To me RCVD_IN_JMF_BL is difficult for my brain to instantly recognize. 
It isn't the length in characters but rather the short name JMF 
wrapped between underscores.  I was leaning towards names like 
RCVD_HOSTKARMA_BL or RCVD_HOSTKARMA_WL.  But then some people 
commented about the consistency of RCVD_IN_*.


RCVD_IN_HOSTKARMA_BL
RCVD_IN_HOSTKARMA_WL
RCVD_IN_HOSTKARMA_YL
RCVD_IN_HOSTKARMA_BR

These look good to me.  But then we have the transition confusion 
problem for those who manually configured to use your old JMF rules.  
I will decide later after we hear more opinions.


http://hostkarma.junkemailfilter.com/
Will this be a working redirector in the near future?  There is no 
point in naming it HOSTKARMA if none of the URL's have hostkarma in 
their name.


Warren Togami
wtog...@redhat.com

Re: Hostkarma: to be or not to be in SA defaults

[Marc Perkel]

Yet Another Ninja wrote:
been following Warren Togami's aggressive lobbying for adding RBLs to 
SA's defaults, and I have some questions:


- is it wise to add yet even more lookups to BLs and slow down SA's 
already huge amount of DNS lookups.


- is the BL in question (which ever it may be) prepared for sustaining 
the global traffic load of millions of default SA setups.


- does the BL have a track record, wide acceptance, safety and 
reliability to become a standard in SA?


- shouldn't SA be conservative and deliver *safe* default setups 
allowing the end user/admin/whatever decide how far he/she wants to 
hog his setup with by querying yet more BLs.


- With all respect for Mark and his efforts: there is a track of one 
man operated BLs being DDOS'd to oblivion, operators disappearing, etc.

Should this be weighted as well?

I believe these points should have more weight than arguing about 
trivial naming or BL colours


comments?

have a good day...





I have a lot of mighty servers set up ad have servers at 4 locations. I 
have 50mb bought and using about 30 of it now. I am not sure what it 
takes to support a default SA inclusion. Does anyone know if what I 
described sounds like it is enough?

Re: Hostkarma: to be or not to be in SA defaults

[Marc Perkel]

LuKreme wrote:

On 29-Sep-2009, at 23:41, Yet Another Ninja wrote:

been following Warren Togami's aggressive lobbying for adding RBLs to 
SA's defaults, and I have some questions:


- is it wise to add yet even more lookups to BLs and slow down SA's 
already huge amount of DNS lookups.


Slow down? DNS lookups are one of the fastest things you can do.




I agree. Slow is MySQL basian processing.

Re: Understanding the hostKarma Lists

[Blaine Fleming]

Marc Perkel wrote:
> I like it.
> 
> RCVD_IN_HOSTKARMA_BL
> RCVD_IN_HOSTKARMA_WL
> RCVD_IN_HOSTKARMA_YL
> RCVD_IN_HOSTKARMA_BR
> 
> Let's go with it.

Marc, have you updated your wiki to reflect the new rules?  I think that
will pretty well settle any debate or question people have.

--Blaine

I am getting all external domain emails subject tagged as SpamSpam

[empiric]

   1.
  Guys I am getting all my external domain emails tagged as SpamSpam
   2.
   
   3.
  logs are attached.
   4.
  mail headers
   5.
   
   6.
  Return-Path: 
   7.
  Delivered-To: u...@domain.com
   8.
  Received: from localhost (localhost [127.0.0.1])
   9.
by mail1.domain.com  (Postfix) with ESMTP
id
  10.
  39B3C12B71D
  11.
for ; Tue, 29 Sep 2009 10:19:57 +0600 (PKST)
  12.
  X-Quarantine-ID: 
  13.
  X-Amavis-Alert: BAD HEADER Improper folded header field made up
entirely of
  14.
whitespace (char 20 hex): Subject: ...?Q?Spam?=3D\n
  15.
=3D?utf-8?Q?Spam=3D0D=3D0A=3D20helo123?=3D\n \n
  16.
  Received: from mail1.domain.com ([127.0.0.1])
  17.
by localhost (mail2.domain.com [127.0.0.1]) (amavisd-new, port
10024)
  18.
with LMTP id asR-LhZoxUsQ for ;
  19.
Tue, 29 Sep 2009 10:19:56 +0600 (PKST)
  20.
  Received: from mail.domain.com (unknown [203.101.170.27])
  21.
by mail1.domain.com (Postfix) with ESMTP id C6CF512B701
  22.
for ; Tue, 29 Sep 2009 10:19:54 +0600 (PKST)
  23.
  Received: from localhost (localhost [127.0.0.1])
  24.
by muses.domain.com (Postfix) with ESMTP id 6982319B322
  25.
for ; Tue, 29 Sep 2009 10:19:53 +0600 (PKST)
  26.
  X-Virus-Scanned: Debian amavisd-new at domain.com
  27.
  Received: from mail.domain.com 
([127.0.0.1])
  28.
by localhost (mail.domain.com 
[127.0.0.1])
  29.
  (amavisd-new, port 10024)
  30.
with LMTP id A1fSGV+XdA-K for ;
  31.
Tue, 29 Sep 2009 10:19:49 +0600 (PKST)
  32.
  Received: from mail-qy0-f191.google.com (mail-qy0-f191.google.com
  33.
   [209.85.221.191])
  34.
by mail.domain.com (Postfix) with ESMTP id B3AB03BE38
  35.
for ; Tue, 29 Sep 2009 10:19:44 +0600 (PKST)
  36.
  Received: by qyk29 with SMTP id 29so3777375qyk.32
  37.
for ; Mon, 28 Sep 2009 21:19:40 -0700 (PDT)
  38.
  DKIM-Signature: v=3D1; a=3Drsa-sha256; c=3Drelaxed/relaxed;
  39.
d=3Dgmail.com; s=3Dgamma;
  40.
   
h=3Ddomainkey-signature:mime-version:received:date:message-id:subjec=
  41.
  t
  42.
 :from:to:content-type;
  43.
bh=3DWoV7lT+YT3JKxromudz0thKd6Y5aCdlJ7QFXjsxBCvc=3D;
  44.
   
b=3Dsuj1zJ/bZjwhfYDIy4YWp9YGpL4TFSKVOPm0R8ps0+kIV4SlldvI8A23Vtd2eXAz=
  45.
  hd
  46.

/pdlqvr7uGT4MR777LO27yKPEaNjqT2dPEVlFXAtc+vQq0Ib2WPPQMR70+77h7Bcfki=
  47.
  r
  48.
 IIELi+qXFfqj4/IpAcTlP3YtSFfwj42KT+MJs=3D
  49.
  DomainKey-Signature: a=3Drsa-sha1; c=3Dnofws;
  50.
d=3Dgmail.com; s=3Dgamma;
  51.
h=3Dmime-version:date:message-id:subject:from:to:content-type;
  52.
   
b=3DmHuhtzREpgetfc3a2kwtOBZZ47s0NR/Qje/GDeE5ZzNUMxOdvU9TtLZqZUM1KVDv=
  53.
  6u
  54.

dTs/wcIM133W1aDhZJzp4YTFIfmzCz1M/YJeo7+lDNcHERQ0Y6ilLjzoZ7NRf69H3bK=
  55.
  n
  56.
 RGQxQ9yCAjwLI3FbAgyDtZtW7CYFyKBWNP7M8=3D
  57.
  MIME-Version: 1.0
  58.
  Received: by 10.229.1.65 with SMTP id 1mr1690588qce.20.1254197980062;
Mon,
  59.
  28
  60.
Sep 2009 21:19:40 -0700 (PDT)
  61.
  Date: Tue, 29 Sep 2009 10:19:40 +0600
  62.
  Message-ID:

  63.
  Subject: =3D?utf-8?Q?Spam?=3D
  64.
   =3D?utf-8?Q?Spam=3D0D=3D0A=3D20helo123?=3D
  65.
   
  66.
   
  67.
   
  68.
  spamassassin debug logs
  69.
  #spamassassin -t -D 
  72.
  X-Spam-Checker-Version: SpamAssassin 3.1.7-deb (2006-10-05) on
mail.domaon.=
  73.
  com
  74.
  X-Spam-Level: 
  75.
  X-Spam-Status: No, score=3D4.8 required=3D5.0
tests=3DDCC_CHECK,DNS_FROM_RF=
  76.
  C_ABUSE,
  77.
 DNS_FROM_RFC_POST,HTML_MESSAGE,SUBJECT_ENCODED_TWICE,
  78.
 SUBJECT_EXCESS_QP autolearn=3Dno version=3D3.1.7-deb
  79.
  Delivered-To: u...@domaon.com
  80.
  Received: from localhost (localhost [127.0.0.1])
  81.
 by mail1.domaon.com (Postfix) with ESMTP id C13911B32DB
  82.
 for ; Wed, 30 Sep 2009 17:03:54 +0600 (PKST)
  83.
  Received: from mail1.domaon.com ([127.0.0.1])
  84.
 by localhost (mail1.domaon.com [127.0.0.1]) (amavisd-new, port
10024)
  85.
 with LMTP id p23bnIio88SC for ;
  86.
 Wed, 30 Sep 2009 17:03:54 +0600 (PKST)
  87.
  Received: from mail.domaon.com (unknown [203.101.170.27])
  88.
 by mail1.domaon.com (Postfix) with ESMTP id 22F7D1B32D7
  89.
 for ; Wed, 30 Sep 2009 17:03:53 +0600 (PKST)
  90.
  Received: from localhost (localhost [127.0.0.1])
  91.
 by mail.domaon.com (Postfix) with ESMTP id 976D319B330
  92.
 for ; Wed, 30 Sep 2009 17:03:53 +0600 (PKST)
  93.
  X-Virus-Scanned: Debian amavisd-new at domaon.com
  94.
  Received: from mail.domaon.com ([127.0.0.1])
  95.
 

Re: I am getting all external domain emails subject tagged as SpamSpam

[Evan Platt]

At 09:55 AM 9/30/2009, you wrote:


   1.
  Guys I am getting all my external domain emails tagged as SpamSpam
   2.

   3.
  logs are attached.
   4.
  mail headers


Please make this post more readable. No HTML, Plain Text only, any 
large attachments should be on Pastebin or such, and... I don't even 
know what's up with the line numbering.


I read as far as:

X-Spam-Status: No

and stopped there. 

Re: I am getting all external domain emails subject tagged as SpamSpam

[Nauman Yousuf]

Guys I am getting all my external domain emails tagged as SpamSpam

logs are attached.
mail headers

Return-Path: 
Delivered-To: u...@domain.com
Received: from localhost (localhost [127.0.0.1])
   by mail1.domain.com  (Postfix) with ESMTP id
39B3C12B71D
   for ; Tue, 29 Sep 2009 10:19:57 +0600 (PKST)
X-Quarantine-ID: 
X-Amavis-Alert: BAD HEADER Improper folded header field made up entirely of
   whitespace (char 20 hex): Subject: ...?Q?Spam?=\n
   =?utf-8?Q?Spam=0D=0A=20helo123?=\n \n
Received: from mail1.domain.com ([127.0.0.1])
   by localhost (mail2.domain.com [127.0.0.1]) (amavisd-new, port 10024)
   with LMTP id asR-LhZoxUsQ for ;
   Tue, 29 Sep 2009 10:19:56 +0600 (PKST)
Received: from mail.domain.com (unknown [203.101.170.27])
   by mail1.domain.com (Postfix) with ESMTP id C6CF512B701
   for ; Tue, 29 Sep 2009 10:19:54 +0600 (PKST)
Received: from localhost (localhost [127.0.0.1])
   by muses.domain.com (Postfix) with ESMTP id 6982319B322
   for ; Tue, 29 Sep 2009 10:19:53 +0600 (PKST)
X-Virus-Scanned: Debian amavisd-new at domain.com
Received: from mail.domain.com  ([127.0.0.1])
   by localhost (mail.domain.com  [127.0.0.1])
(amavisd-new, port 10024)
   with LMTP id A1fSGV+XdA-K for ;
   Tue, 29 Sep 2009 10:19:49 +0600 (PKST)
Received: from mail-qy0-f191.google.com (mail-qy0-f191.google.com
 [209.85.221.191])
   by mail.domain.com (Postfix) with ESMTP id B3AB03BE38
   for ; Tue, 29 Sep 2009 10:19:44 +0600 (PKST)
Received: by qyk29 with SMTP id 29so3777375qyk.32
   for ; Mon, 28 Sep 2009 21:19:40 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
   d=gmail.com; s=gamma;
   h=domainkey-signature:mime-version:received:date:message-id:subject
:from:to:content-type;
   bh=WoV7lT+YT3JKxromudz0thKd6Y5aCdlJ7QFXjsxBCvc=;
   b=suj1zJ/bZjwhfYDIy4YWp9YGpL4TFSKVOPm0R8ps0+kIV4SlldvI8A23Vtd2eXAzhd
/pdlqvr7uGT4MR777LO27yKPEaNjqT2dPEVlFXAtc+vQq0Ib2WPPQMR70+77h7Bcfkir
IIELi+qXFfqj4/IpAcTlP3YtSFfwj42KT+MJs=
DomainKey-Signature: a=rsa-sha1; c=nofws;
   d=gmail.com; s=gamma;
   h=mime-version:date:message-id:subject:from:to:content-type;
   b=mHuhtzREpgetfc3a2kwtOBZZ47s0NR/Qje/GDeE5ZzNUMxOdvU9TtLZqZUM1KVDv6u
dTs/wcIM133W1aDhZJzp4YTFIfmzCz1M/YJeo7+lDNcHERQ0Y6ilLjzoZ7NRf69H3bKn
RGQxQ9yCAjwLI3FbAgyDtZtW7CYFyKBWNP7M8=
MIME-Version: 1.0
Received: by 10.229.1.65 with SMTP id 1mr1690588qce.20.1254197980062; Mon,
28
   Sep 2009 21:19:40 -0700 (PDT)
Date: Tue, 29 Sep 2009 10:19:40 +0600
Message-ID: 
Subject: =?utf-8?Q?Spam?=
 =?utf-8?Q?Spam=0D=0A=20helo123?=



spamassassin debug logs
#spamassassin -t -D 
X-Spam-Checker-Version: SpamAssassin 3.1.7-deb (2006-10-05) on mail.domaon.com
X-Spam-Level: 
X-Spam-Status: No, score=4.8 required=5.0 tests=DCC_CHECK,DNS_FROM_RFC_ABUSE,
DNS_FROM_RFC_POST,HTML_MESSAGE,SUBJECT_ENCODED_TWICE,
SUBJECT_EXCESS_QP autolearn=no version=3.1.7-deb
Delivered-To: u...@domaon.com
Received: from localhost (localhost [127.0.0.1])
by mail1.domaon.com (Postfix) with ESMTP id C13911B32DB
for ; Wed, 30 Sep 2009 17:03:54 +0600 (PKST)
Received: from mail1.domaon.com ([127.0.0.1])
by localhost (mail1.domaon.com [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id p23bnIio88SC for ;
Wed, 30 Sep 2009 17:03:54 +0600 (PKST)
Received: from mail.domaon.com (unknown [203.101.170.27])
by mail1.domaon.com (Postfix) with ESMTP id 22F7D1B32D7
for ; Wed, 30 Sep 2009 17:03:53 +0600 (PKST)
Received: from localhost (localhost [127.0.0.1])
by mail.domaon.com (Postfix) with ESMTP id 976D319B330
for ; Wed, 30 Sep 2009 17:03:53 +0600 (PKST)
X-Virus-Scanned: Debian amavisd-new at domaon.com
Received: from mail.domaon.com ([127.0.0.1])
by localhost (mail.domaon.com [127.0.0.1]) (amavisd-new, port 10024)
with LMTP id el+R1y6R6iaa for ;
Wed, 30 Sep 2009 17:03:53 +0600 (PKST)
Received: from snt0-omc1-s35.snt0.hotmail.com
(snt0-omc1-s35.snt0.hotmail.com [65.55.90.46])
by mail.domaon.com (Postfix) with ESMTP id D14C419B32D
for ; Wed, 30 Sep 2009 17:03:52 +0600 (PKST)
Received: from SNT106-W54 ([65.55.90.7]) by
snt0-omc1-s35.snt0.hotmail.com with Microsoft SMTPSVC(6.0.3790.3959);
 Wed, 30 Sep 2009 04:03:47 -0700
Message-ID: 
Content-Type: multipart/alternative;
boundary="_4abea601-ec42-4378-af03-83675013aef6_"
X-Originating-IP: [125.209.118.102]
From: mohsin alizai 
To: 
Subject: =?utf-8?Q?Spam?=
 =?utf-8?Q?Spam=0D=0A=20test?=
Date: Wed, 30 Sep 2009 11:03:47 +
Importance: Normal
MIME-Version: 1.0
X-OriginalArrivalTime: 30 Sep 2009 11:03:47.0973 (UTC)
FILETIME=[AF55A350:01CA41BD]
X-SpamInfo: return-email, failed to obtain DNS record for domain hotmail.com
X-SpamInfo: return-email, failed to obtain DNS record for domain hotmail.com

--_4abea601-ec42-4378-af03-83675013aef6_
Content-Type: text/plain; charset="Windows-1252"
Content-T

Re: I am getting all external domain emails subject tagged as SpamSpam

[Evan Platt]

At 10:02 AM 9/30/2009, you wrote:

Guys
I am getting all my external domain emails tagged as SpamSpam
logs are attached.
mail headers


Once again, please don't post in HTML.

X-Spam-Status: No

So - what am I missing without wading through all the HTML?

Re: Understanding the hostKarma Lists

[John Hardin]

On Wed, 30 Sep 2009, Marc Perkel wrote:


RCVD_IN_HOSTKARMA_BL
RCVD_IN_HOSTKARMA_WL
RCVD_IN_HOSTKARMA_YL
RCVD_IN_HOSTKARMA_BR


+1

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Think Microsoft cares about your needs at all?
  "A company wanted to hold off on upgrading Microsoft Office for a
  year in order to do other projects. So Microsoft gave a 'free' copy
  of the new Office to the CEO -- a copy that of course generated
  errors for anyone else in the firm reading his documents. The CEO
  got tired of getting the 'please re-send in XX format' so he
  ordered other projects put on hold and the Office upgrade to be top
  priority."-- Cringely, 4/8/2004
---
 Approximately 9021060 firearms legally purchased in the U.S. this year

Re: I am getting all external domain emails subject tagged as SpamSpam

[John Hardin]

On Wed, 30 Sep 2009, Nauman Yousuf wrote:


Guys I am getting all my external domain emails tagged as SpamSpam

X-Amavis-Alert: BAD HEADER Improper folded header field made up entirely of
  whitespace (char 20 hex): Subject: ...?Q?Spam?=\n
  =?utf-8?Q?Spam=0D=0A=20helo123?=\n \n

...

Subject: =?utf-8?Q?Spam?=
=?utf-8?Q?Spam=0D=0A=20helo123?=



spamassassin debug logs
#spamassassin -t -D 

Your SA is quite old, can you upgrade to 3.2.5?


X-Spam-Level: 
X-Spam-Status: No, score=4.8 required=5.0 tests=DCC_CHECK,DNS_FROM_RFC_ABUSE,
DNS_FROM_RFC_POST,HTML_MESSAGE,SUBJECT_ENCODED_TWICE,
SUBJECT_EXCESS_QP autolearn=no version=3.1.7-deb


SA doesn't think it's spam.


Subject: =?utf-8?Q?Spam?=
=?utf-8?Q?Spam=0D=0A=20test?=


Amavis is apparently doing something bad to your email. Is it your amavis, 
or somebody else's?


I'd look at your upstream MTA (mail.domain.com? Did you obfuscate that? 
Please note best practice is to obfuscate using "example.com", it's 
intended for that purpose and people will recognize what you're doing) as 
well. See if you can capture a message in its raw form before any of your 
local tools have had an opportunity to modify it. Review your tool chain, 
to see if it's being scanned twice somehow.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Think Microsoft cares about your needs at all?
  "A company wanted to hold off on upgrading Microsoft Office for a
  year in order to do other projects. So Microsoft gave a 'free' copy
  of the new Office to the CEO -- a copy that of course generated
  errors for anyone else in the firm reading his documents. The CEO
  got tired of getting the 'please re-send in XX format' so he
  ordered other projects put on hold and the Office upgrade to be top
  priority."-- Cringely, 4/8/2004
---
 Approximately 9021060 firearms legally purchased in the U.S. this year

Re: [sa] Re: I am getting all external domain emails subject tagged as SpamSpam

[Charles Gregory]

On Wed, 30 Sep 2009, Nauman Yousuf wrote:

Guys I am getting all my external domain emails tagged as SpamSpam
mail headers
X-Amavis-Alert: BAD HEADER Improper folded header field made up entirely of
   whitespace (char 20 hex): Subject: ...?Q?Spam?=\n
   =?utf-8?Q?Spam=0D=0A=20helo123?=\n \n


Well, according to this, amavis doesn't like the fact that the 'Subject' 
header is made up of many spaces. Looks like the original subject was 
'heloo123' plus a BUNCH of spaces. An MTA has 'folded' them properly, but 
AMAVIS considers this suspicious. Question would be, how did all those 
spaces get in there in the first place? Are you running the message 
through some sort of pre-process before sending it to SA?


There are also some clues in the SA rule match "SUBJECT_ENCODED_TWICE".
This suggests again, something is trying to encapsulate your subject
before it gets to spamassassin. If this is happening on ALL your mail,
then it is something in your front end.

- C

Re: I am getting all external domain emails subject tagged as SpamSpam

[Benny Pedersen]

On ons 30 sep 2009 18:55:28 CEST, empiric wrote


Guys I am getting all my external domain emails tagged as SpamSpam


next time dont repost contense from a pastebin, give the link to it

--
xpoint

Re: I am getting all external domain emails subject tagged as SpamSpam

[Benny Pedersen]

On ons 30 sep 2009 19:15:26 CEST, Evan Platt wrote

So - what am I missing without wading through all the HTML?


dns is not found ?, overloaded with ham so it cant detect spam ?

--
xpoint

Re: [sa] Re: I am getting all external domain emails subject tagged as SpamSpam

[Mark Martinec]

On Wednesday 30 September 2009 19:25:52 Charles Gregory wrote:
>  On Wed, 30 Sep 2009, Nauman Yousuf wrote:
>  > Guys I am getting all my external domain emails tagged as SpamSpam
>  > mail headers
>  > X-Amavis-Alert: BAD HEADER Improper folded header field made up entirely
>  > of whitespace (char 20 hex): Subject: ...?Q?Spam?=\n
>  >=?utf-8?Q?Spam=0D=0A=20helo123?=\n \n
>  
>  Well, according to this, amavis doesn't like the fact that the 'Subject'
>  header is made up of many spaces. Looks like the original subject was
>  'heloo123' plus a BUNCH of spaces. An MTA has 'folded' them properly, but
>  AMAVIS considers this suspicious. Question would be, how did all those
>  spaces get in there in the first place? Are you running the message
>  through some sort of pre-process before sending it to SA?
>  
>  There are also some clues in the SA rule match "SUBJECT_ENCODED_TWICE".
>  This suggests again, something is trying to encapsulate your subject
>  before it gets to spamassassin. If this is happening on ALL your mail,
>  then it is something in your front end.

You missed the point, it's not about 'many spaces' or 'trailing spaces',
but there was an illegal all-whitespace line in the header section,
just following the Subject, as reported:

Subject: ...?Q?Spam?=\n =?utf-8?Q?Spam=0D=0A=20h\
elo123?=\n \n
^

  Mark

Re: Understanding the hostKarma Lists

[Benny Pedersen]

On ons 30 sep 2009 19:17:46 CEST, John Hardin wrote

RCVD_IN_HOSTKARMA_BL
RCVD_IN_HOSTKARMA_WL
RCVD_IN_HOSTKARMA_YL
RCVD_IN_HOSTKARMA_BR


+1


-2

the rule name is now longer then it was :/

--
xpoint

Re: I am getting all external domain emails subject tagged as SpamSpam

[Nauman Yousuf]

what you mean dns not found. overloaded with ham means?


On Thu, Oct 1, 2009 at 12:01 AM, Benny Pedersen  wrote:

> On ons 30 sep 2009 19:15:26 CEST, Evan Platt wrote
>
>> So - what am I missing without wading through all the HTML?
>>
>
> dns is not found ?, overloaded with ham so it cant detect spam ?
>
> --
> xpoint
>
>


-- 
Regards

Nauman Yousuf
0312-2201455
E-Eager, N-Noble, G-Genuine, I-Intelligent, N-Natural, E-Enthusiastic,
E-Energetic, R-Resourcefull --- ENGINEER

Re: Hostkarma: to be or not to be in SA defaults

[Warren Togami]

On 09/30/2009 12:32 PM, Marc Perkel wrote:

I have a lot of mighty servers set up ad have servers at 4 locations. I
have 50mb bought and using about 30 of it now. I am not sure what it
takes to support a default SA inclusion. Does anyone know if what I
described sounds like it is enough?



You personally run all mirrors for DNS lookups?  I believe all the other 
major DNSBL's have many mirrors not all hosted in the same place.


Warren

Re: unsubscribe

[Terry Carmen]

Evan Platt wrote:

At 08:28 AM 9/30/2009, you wrote:

If you want to tell somebody how to unsubscribe, please do it off 
list. Why doesn't the list block messages which contain a single 
"unsubscribe" in the body or an empty body with "unsubscribe" in the 
Subject line? I got bored of seeing these on the various lists I'm on 
so I blackhole them at the MTA level. All I see now is the people 
replying to them to say "Here's how you do it". By all means, reply, 
but there's no need to reply to the list.


Because about 90% of the time, someone else will want to unsubscribe too.

And if they see the 'unsubscribe' message, they somehow think that's 
how to unsubscribe.


So, if they see the first request, and then see the message with the 
correct instructions, they may follow it.


But I agree, a better solution is to have the list server 'reject' 
unsubscribe messages. :)
A better solution would be to automatically handle the request as it was 
intended.


This is the kind of User Interface design issue that just makes me insane.

Rewrite it as necessary, forward it to the list manager and be done with it.

This is on par with the classic form submit message "The following 
fields are required: . . . " Well if the fields are required, the submit 
button shouldn't be active until they're filled.


It's no wonder non-technical people feel intimidated by computers. 
Software still lets them do the "wrong" thing, even when their intent 
was obvious.


Terry




--
Terry Carmen
CNY Support, LLC
http://cnysupport.com 

Re: unsubscribe

[Miles Fidelman]

Terry Carmen wrote:


A better solution would be to automatically handle the request as it 
was intended.
unless, of course, someone happens to be writing a message with the word 
"unsubscribe" in it, and DOESN'T want to unsubscribe to the list


let you think this is picking a nit I run a list for parents of one 
of my kid's schools, the school department runs another (badly) -- it's 
very common for people to write to our list asking how to (un)subscribe 
to the official school list


for that matter, on any list discussing mail handling, or perhaps 
server-side software in general, I expect the word "unsubscribe" is 
quite common


Miles


--
In theory, there is no difference between theory and practice.
In practice, there is.    Yogi Berra

Re: unsubscribe

[Evan Platt]

At 11:36 AM 9/30/2009, you wrote:
unless, of course, someone happens to be writing a message with the 
word "unsubscribe" in it, and DOESN'T want to unsubscribe to the list


let you think this is picking a nit I run a list for parents of 
one of my kid's schools, the school department runs another (badly) 
-- it's very common for people to write to our list asking how to 
(un)subscribe to the official school list


for that matter, on any list discussing mail handling, or perhaps 
server-side software in general, I expect the word "unsubscribe" is 
quite common


I've seen a number of lists where it was hard to put the word 
unsubscribe in a message without it rejecting it..


Someone sent a message to the group of 'unsuscribe' (note the spelling).

I replied back 'to unsubscribe, send a message to 
. List software denied my post - 
telling me if I wish to unsubscribe, here's how to do it (oh... the 
irony).  So I tried again, this time saying 'if you wish to 
unsuscribe , send a message to . List AGAIN saw the unsubscribe 
address in my body of the message, and rejected it.


Can't remember how I got around it - I think I told the person to try 
spelling it correctly. :) 

Re: unsubscribe

[Kelson]

Miles Fidelman wrote:
unless, of course, someone happens to be writing a message with the word 
"unsubscribe" in it, and DOESN'T want to unsubscribe to the list


let you think this is picking a nit I run a list for parents of one 
of my kid's schools, the school department runs another (badly) -- it's 
very common for people to write to our list asking how to (un)subscribe 
to the official school list


for that matter, on any list discussing mail handling, or perhaps 
server-side software in general, I expect the word "unsubscribe" is 
quite common


Would I be correct in assuming that most or all of those messages have 
more words in the subject than just the single word "unsubscribe"?  Or 
at least some message content?


If the message body is empty and the subject only contains the word 
"unsubscribe," it's probably a safe bet to assume it's an attempt to 
remove someone from the list and not a question or comment.


--
Kelson Vibber
SpeedGate Communications 

[OT] Re: unsubscribe

[Karsten Bräckelmann]

This thread is way off-topic -- it should better be googled for on any
random list, rather than re-iterating the arguments over and over.
Anyone thinks he can contribute something new that hasn't been mentioned
on lists for years?

EOT, please.


> > > If you want to tell somebody how to unsubscribe, please do it off 
> > > list. [...]

IMHO replying to the OP and the list is better, so everyone else knows
the OP already has been told how to do it. Without Cc'ing the list, the
OP might get hundreds of identical replies -- or none.

> > But I agree, a better solution is to have the list server 'reject' 
> > unsubscribe messages. :)
> 
> A better solution would be to automatically handle the request as it was 
> intended.

Please keep in mind, we (as in the SA team) do not run the list server.
We are using the ASF infrastructure. There is no way for us to do any
such customizations.


-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: I am getting all external domain emails subject tagged as SpamSpam

[Charles Gregory]

Firstly, PLEASE DIRECT ALL REPLIES TO LIST, not my personal email.

On Wed, 30 Sep 2009, Nauman Yousuf wrote:
i dont know , how subject is filled with spaces , what i need to check 
am clue less this is happening from last 3 days


First question of troubleshooting: What changed?

If it worked 4 days ago, and didn't work 3 days ago, something changed
between 3 and 4 days to make it stop working. Isolate the time it stopped 
working, and check for ALL changes to the server at that time. Files, 
permissions, disk full, anything.


- C

Re: Hostkarma: to be or not to be in SA defaults

[Raymond Dijkxhoorn]

Hi!


I have a lot of mighty servers set up ad have servers at 4 locations. I
have 50mb bought and using about 30 of it now. I am not sure what it
takes to support a default SA inclusion. Does anyone know if what I
described sounds like it is enough?


You personally run all mirrors for DNS lookups?  I believe all the other 
major DNSBL's have many mirrors not all hosted in the same place.


With SURBL we use much more then 50 mbit. And dont even mention the stuff 
you get for free with the regular DDoS once you get on the radar. If you 
say, hey i have 20 mbit this should do the trick. Please stop. Seriously.


It certainly does not sound as enough to me. But then again, i dont use 
public mirrors so it wont affect me. But i doubt its a wise move to 
include this inside SA just like that.


We advised SA in the past about inclusions like this and that time there 
was conscences about the whole idea. Imagine a floaky BL, this will impact 
the complete mailprocessing flow of many many ISPs and organisations.


Its not like pusing out a new version of RedHat (where we also provide
mirrors there) this is much more about impacting people's internal 
mailflows. I would really appreciate that this would be handled with 
great care.


Mark, how many people are there working on your BL, more then 1? Not 
saying this is bad, just pointing out the risk adding stuff inside SA. Its 
not a playground its legacy production stuff for many people.


The DoS/DDoS is really a risk, many of the BL operators have been bitten a 
lot of times. For SURBL the worst DDoS we have faced got us a little over 40 
Gbit/s. If you feel your company can live without network for some days, 
sure, go ahead :-) If not, think twice. The DDoS we had lasted for 
about 4 days. And we regularly get DDoS attacks, shorter and longer, on 
the websites


To be hounest, and this Mark, is not against you, but the current 
situation. How the servers are setup, the single company stuff with the 
RBL servers. I rather say, lets include the Barracuda BL, i am not a fan 
of that specific list, but the infra is backed up by a large company doing 
gigabits of traffic. Not a 'we have 20 mbit left over, lets do it' Any 
university user inside .nl has more then that available.


I sincerly hope people realize its a serious thing, and take this mail to 
improove things and setups. And please dont include lists that are not up 
to the task yet).


thanks for you time.

Raymond Dijkxhoorn.

Re: Hostkarma: to be or not to be in SA defaults

[Yet Another Ninja]

On 9/30/2009 10:25 PM, Raymond Dijkxhoorn wrote:

Hi!


I have a lot of mighty servers set up ad have servers at 4 locations. I
have 50mb bought and using about 30 of it now. I am not sure what it
takes to support a default SA inclusion. Does anyone know if what I
described sounds like it is enough?


You personally run all mirrors for DNS lookups?  I believe all the 
other major DNSBL's have many mirrors not all hosted in the same place.


With SURBL we use much more then 50 mbit. And dont even mention the 
stuff you get for free with the regular DDoS once you get on the radar. 
If you say, hey i have 20 mbit this should do the trick. Please stop. 
Seriously.


It certainly does not sound as enough to me. But then again, i dont use 
public mirrors so it wont affect me. But i doubt its a wise move to 
include this inside SA just like that.


We advised SA in the past about inclusions like this and that time there 
was conscences about the whole idea. Imagine a floaky BL, this will 
impact the complete mailprocessing flow of many many ISPs and 
organisations.


Its not like pusing out a new version of RedHat (where we also provide
mirrors there) this is much more about impacting people's internal 
mailflows. I would really appreciate that this would be handled with 
great care.


Mark, how many people are there working on your BL, more then 1? Not 
saying this is bad, just pointing out the risk adding stuff inside SA. 
Its not a playground its legacy production stuff for many people.


The DoS/DDoS is really a risk, many of the BL operators have been bitten 
a lot of times. For SURBL the worst DDoS we have faced got us a little 
over 40 Gbit/s. If you feel your company can live without network for 
some days, sure, go ahead :-) If not, think twice. The DDoS we had 
lasted for about 4 days. And we regularly get DDoS attacks, shorter and 
longer, on the websites


To be hounest, and this Mark, is not against you, but the current 
situation. How the servers are setup, the single company stuff with the 
RBL servers. I rather say, lets include the Barracuda BL, i am not a fan 
of that specific list, but the infra is backed up by a large company 
doing gigabits of traffic. Not a 'we have 20 mbit left over, lets do it' 
Any university user inside .nl has more then that available.


I sincerly hope people realize its a serious thing, and take this mail 
to improove things and setups. And please dont include lists that are 
not up to the task yet).


This may be of interest..
http://www.uribl.com/mirrors.shtml

SA 3.3.0 and sa-compile

[to...@starbridge.org]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,
i'm running SA 3.3.0 (3.3.0-alpha3-r808953) and i've some problem with
compiled rules.

sa-compile runs without errors, and SA seems to works fine when restarted.
But some body rules are now not detected.

exemple of simple body rule (for testing):

body TONIO_SPAM_TEST/toniospam/i
describe TONIO_SPAM_TESTMentions Generic toniospamtest
score   TONIO_SPAM_TEST 5

if i commented out
loadplugin Mail::SpamAssassin::Plugin::Rule2XSBody
in v320.pre, body rules is working again.

I've tested with SA 3.2.5 and it's working fine with Rule2XSBody active.
I've tried to delete compiled rules and compile again: same result.

Some info on my environnement:
debian testing
perl v5.10.0
xsubpp version 2.200401 (from debian perl package)
re2c version 0.13.5-1

Thanks for your help
Regards
Tonio

NB: sorry for this second post, but i've made a mistake with the
previous one (replying to  an other thread)

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkrDzE4ACgkQ8FtMlUNHQINOIgCeIgXvgz5VafWgZmeb7RhS3vvo
7ZUAn0+ANE9/uzBbSTcCsn26PGVHlflt
=sq17
-END PGP SIGNATURE-

Re: Hostkarma: to be or not to be in SA defaults

[Warren Togami]

Nobody has yet proposed HOSTKARMA to become enabled by default.  I am 
only interested at the moment in testing how good it is in masschecks.


I would like to similarly add other DNSBL's that I haven't tried before 
like spameatingmonkey or intercept to the masschecks.  If you look 
around online there isn't any good measure of DNSBL quality out there. 
Our weekly_mass_check and sandbox is a very easy to way to measure this 
stuff.


http://stats.dnsbl.com/
1067 hams is really the sample size he uses to measure false positives? 
 We can do a LOT better than this.


Any other free DNSBL's people are interested in testing?

Warren Togami
wtog...@redhat.com

Re: DNSWL and JMF White false positives, what to do exactly?

[mouss]

Warren Togami wrote:
> I scanned my spam folders and found a few false positives that hit on
> either DNSWL 

FP with DNSWL?

FP = False Positive = legitimaite mail tagged as spam
DNSWL = Whitelist

if your system adds points because of dnswl, you have a serious problem. ..

or do you mean FN (false negative)?

> or JMF (HOSTKARMA?  See how confusing it is not knowing
> what to call it?)
> 
> Is there an easy automated way we can forward FP's to DNSWL and JMF so
> their maintainers can decide what to do about the offending senders?

offending? then you probably mean FN.

yes, you can report offending IPs, if that makes sense. for example, if
the offending IP is that of an ISP relay, then don't report it: ISPs do
relay spam. if on the other hand you see FNs from paypal or bank of
blahblah, then do submit.

> I'd
> attach it to mail but it might get caught in the spam filter...
> 

post the s(p)ample on a web site instead. you can use pastebin for example.

Re: Hostkarma: to be or not to be in SA defaults

[Rick Macdougall]

Yet Another Ninja wrote:

On 9/30/2009 10:25 PM, Raymond Dijkxhoorn wrote:
I sincerly hope people realize its a serious thing, and take this mail 
to improove things and setups. And please dont include lists that are 
not up to the task yet).


This may be of interest..
http://www.uribl.com/mirrors.shtml


I can see myself :)

Regards,

Rick

Re: DNSWL and JMF White false positives, what to do exactly?

[Henrik K]

On Wed, Sep 30, 2009 at 11:35:31PM +0200, mouss wrote:
> 
> yes, you can report offending IPs, if that makes sense. for example, if
> the offending IP is that of an ISP relay, then don't report it: ISPs do
> relay spam.

Ehm.. surely you should report spam sending ISP relays if they are
miscategorized as low or higher.

Re: DNSWL and JMF White false positives, what to do exactly?

[RW]

On Wed, 30 Sep 2009 23:35:31 +0200
mouss  wrote:

> Warren Togami wrote:
> > I scanned my spam folders and found a few false positives that hit
> > on either DNSWL 
> 
> FP with DNSWL?
> 
> FP = False Positive = legitimaite mail tagged as spam
> DNSWL = Whitelist

The term  false-positive can apply to any test. A test for ham
that matches a spam is a false-positive, it's a matter of context.

Re: DNSWL and JMF White false positives, what to do exactly?

[Karsten Bräckelmann]

On Wed, 2009-09-30 at 23:35 +0200, mouss wrote:
> Warren Togami wrote:
> > I scanned my spam folders and found a few false positives that hit on
> > either DNSWL 
> 
> FP with DNSWL?
> 
> FP = False Positive = legitimaite mail tagged as spam
> DNSWL = Whitelist

False positive. Something, that matches (positive) the criterion for a
certain test, but should not (false).

> if your system adds points because of dnswl, you have a serious problem. ..
> 
> or do you mean FN (false negative)?

Granted, the wording ("FPs that hit ham rules") could need some polish,
but I believe Warren was talking about spam that falsely hits ham rules.


-- 
char *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0; }}}

Re: Understanding the hostKarma Lists

[Marc Perkel]

Blaine Fleming wrote:

  Marc Perkel wrote:
  
  
I like it.

RCVD_IN_HOSTKARMA_BL
RCVD_IN_HOSTKARMA_WL
RCVD_IN_HOSTKARMA_YL
RCVD_IN_HOSTKARMA_BR

Let's go with it.

  
  
Marc, have you updated your wiki to reflect the new rules?  I think that
will pretty well settle any debate or question people have.

--Blaine

  


Yes - the wiki is updated.

.cn Oddity

[Warren Togami]

uri T_CN_URL  /[^\/]+\.cn(?:$|\/|\?)/i
describe T_CN_URL Contains a URL in the .cn domain

uri T_CN_8_URL  /[\/.]+\w{8}\.cn(?:$|\/|\?)/i
describe T_CN_8_URL Contains a URL in the .cn domain of exactly 8 
characters long


http://ruleqa.spamassassin.org/20090930-r820211-n/T_CN_URL/detail
Last night's masscheck.  63243 out of 124241 spam hits T_CN_URL, nearly 51%.

7263 T_CN_URL hits in 15517 spam corpus
7200 T_CN_8_URL hits in 15517 spam corpus

Does this make any sense?  This is funny.  Could someone add this rule 
to the sandbox?  I'm just curious.


Warren Togami
wtog...@redhat.com

Re: Hostkarma: to be or not to be in SA defaults

[SM]

Hi Marc,
At 09:32 30-09-2009, Marc Perkel wrote:
I have a lot of mighty servers set up ad have servers at 4 
locations. I have 50mb bought and using about 30 of it now. I am not 
sure what it takes to support a default SA inclusion. Does anyone 
know if what I described sounds like it is enough?


They can still be a soft target.  Most of the DNSBLs were unprepared 
to deal with denial of service attacks.  Some of them have closed 
down after an attack.  That can be a problem for users as most people 
have a "configure and forget" setup or it's a default vendor setup.


The bandwidth may be enough for current usage.  The more mirrors you 
have, the better.  If your DNSBL is effective, you might be able to 
get help with that.  The "problems" with your setup is not worse than 
other resources that are commonly used by users from this mailing list.


Someone pointed out that it's not a good idea to do more DNS lookups 
as it affects the performance of SpamAssassin.  It does not matter 
whether your DNSBL is included in the default configuration as people 
will use it if they believe that it is effective in stopping 
spam.  If you are concerned about marketing, then it may matter to you. :-)


Regards,
-sm 

RE: Understanding the hostKarma Lists

[R-Elists]

marc
 
dont forget this one
 
http://wiki.apache.org/spamassassin/MarcPerkelsExperiments
 
 - rh


  _  

From: Marc Perkel [mailto:m...@perkel.com] 
 snip 

Yes - the wiki is updated.