RE: exclude domain from server-wide

[R-Elists]

 
> 
> I am running a qmail + simscan + spamassassin + clamav on a 
> centos 5.3.
> 
> Regards
> 

s..a..l...@gmail,

there are many ways to do it...

you could try

@example.com

in your 

/var/qmail/control/badmailfrom

might work... depending on some factors...

you could smtp reject above a certain score and do a blacklist in your SA
configs and reject it that way...

lots of ways...

be creative...

 - rh

Re: [SA] SpamAssassin is not a filter

[Per Jessen]

Adam Katz wrote:

> If you own a company trying to *trademark* something with the word
> "Spam" in it (e.g. "SpamArrest"), that infringes upon their trademark.
> If you own a company with a product with the word "Spam" in it and
> you don't try to trademark it (e.g. SpamAssassin, SpamCop), they won't
> pursue (as it would be along fair use law rather than trademark law).

The EU trademark database has 44 hits on registered trademarks
containing 'spam', including Spamhaus, Spamfighter, SpamTrap, noSpam
Proxy, Spamfinder, SPAMNET and SPAMASSASSIN.  


/Per Jessen, Zürich

svn rules and viewvc

[R-Elists]

i used to be able to use wget to "easily" download rules from jhardin and
other sandboxes

now with this new viewvc, it is a total pain in the backside to do anything.

how do we make it so it is easy to get the sandbox rules again?

 - rh

Re: sneaky pharma spam shooting past standard rules

[Per Jessen]

Rick Knight wrote:

> What are using to filter on HELO-no-dots? I've looked at milter-regex,
> but I can't get it to build on my slackware 12 system.
> 

In postfix, it's easily done with smtpd_helo_restrictions=
check_helo_access=pcre:/etc/postfix/table

Table would contain a line like this:

/^[^.]+$/   554 something



/Per Jessen, Zürich

Re: [SA] sneaky pharma spam shooting past standard rules

[Henrik K]

On Thu, Oct 15, 2009 at 03:43:52PM -0400, Adam Katz wrote:
> 
> # @Mike Cappella on sa-users, 20090806 20:50 UTC + 20090822 at 18:19
> header   MC_TAB_IN_FROMFrom:raw =~ /^\t/m
> describe MC_TAB_IN_FROMFrom: Contains a tab
> scoreMC_TAB_IN_FROM0.6  # 20091015, considering bump to 1.2

You missed the important post:

http://mail-archives.apache.org/mod_mbox/spamassassin-users/200908.mbox/%3c200908222035.57647.mark.martinec...@ijs.si%3e

Re: sneaky pharma spam shooting past standard rules

[Kurt Buff]

Sure. Here's a snippet from main.cf:

--begin snippet--
smtpd_recipient_restrictions =
 reject_non_fqdn_recipient
 reject_non_fqdn_sender
 reject_unknown_sender_domain
 reject_unknown_recipient_domain
 permit_mynetworks
 reject_unauth_destination
 check_recipient_access hash:/usr/local/etc/postfix/roleaccount_exceptions
 reject_non_fqdn_hostname
 reject_invalid_hostname
 check_helo_access pcre:/usr/local/etc/postfix/helo_checks
 reject_rbl_client zen.spamhaus.org
 reject_rbl_client bl.spamcop.net
 permit

strict_rfc821_envelopes=yes
--end snippet--

Kurt

On Thu, Oct 15, 2009 at 16:31, MySQL Student  wrote:
> Hi,
>
>> With this:
>>
>>      Received: from public30108.xdsl.centertel.pl (HELO
>> marcin-8963fd6f) (79.163.117.156)
>>
>> my postfix setup would have simply dropped it on the floor at the
>> HELO/EHLO. If it doens't HELO with an FQDN and a proper rDNS, we don't
>> talk to it.
>
> Kurt, can you explain how you're doing it with postfix?
>
> Thanks,
> Alex
>

Re: sneaky pharma spam shooting past standard rules

[MySQL Student]

Hi,

> smtpd_helo_restrictions = permit_mynetworks,
>        reject_invalid_helo_hostname,
>        reject_non_fqdn_helo_hostname,
>        permit

I'm currently using reject_non_fqdn_sender and
reject_non_fqdn_recipient. I wanted to be sure I should use the two
helo restrictions you've listed above in addition to the ones I'm
already using, correct?

Hopefully not too far off-topic now, but this is the total list of
restrictions I'm currently using:

smtpd_recipient_restrictions = permit_mynetworks,
reject_non_fqdn_sender, reject_non_fqdn_recipient,
reject_unknown_sender_domain, reject_unknown_recipient_domain,
check_client_access hash:/etc/postfix/client_access,
reject_unauth_destination, check_recipient_access
pcre:/etc/postfix/relay_recips_access,  reject_unauth_pipelining,
reject_invalid_hostname

Thanks,
Alex

Re: sneaky pharma spam shooting past standard rules

[Ned Slider]

John Hardin wrote:

On Thu, 15 Oct 2009, LuKreme wrote:


On 15-Oct-2009, at 17:57, LuKreme wrote:

smtpd_helo_restrictions = permit_mynetworks,
 reject_invalid_helo_hostname,
 reject_non_fqdn_helo_hostname,
 permit


Oh, and for the record, on my mail server these two restrictions stop 
50% of all attempted connections. That's 50% that don't even make it 
to transaction, much less to SpamAssassin.


I haven't run the numbers, but that sounds about like what I'm seeing too.



I'm using the same restrictions and reject_non_fqdn_helo_hostname 
routinely drops around a third of all connections to my server. You guys 
seeing rates closer to 50% probably just have a higher proportion of 
spam (to ham) than me.


No point hitting DNSBLs with this traffic - may as well reject it up front.

Re: sneaky pharma spam shooting past standard rules

[d . hill]

Quoting LuKreme :


On 15-Oct-2009, at 17:31, MySQL Student wrote:


Hi,


With this:

Received: from public30108.xdsl.centertel.pl (HELO
marcin-8963fd6f) (79.163.117.156)

my postfix setup would have simply dropped it on the floor at the
HELO/EHLO. If it doens't HELO with an FQDN and a proper rDNS, we don't
talk to it.


Kurt, can you explain how you're doing it with postfix?


I'm not kurt, but how about

 reject_unknown_sender_domain

That's what I use.


That will reject unknown sender domains. How about:

  reject_non_fqdn_helo_hostname

An example from the logs:

Oct 16 00:00:05 smtpgate postfix/smtpd[80448]: NOQUEUE: reject: RCPT  
from 68.115.206-77.rev.gaoland.net[77.206.115.68]:2082: 504 5.5.2  
: Helo command rejected: need fully-qualified  
hostname; from= to= proto=ESMTP  
helo=

Re: sneaky pharma spam shooting past standard rules

[Chris]

On Thu, 2009-10-15 at 09:38 -0600, Jason Haar wrote:
> I just received what appeared to be a standard "certain north american
> country" pharma spam that went straight by rules I have that normally
> catch it. Within Thunderbird (and any other HTML-capable MUA) it's
> blatantly shouting its wares.  Clever usage of SPANs appear to enable it
> to sneak straight by SA.
> 
> http://pastebin.com/m56d2db96
> 
> Is this something SA normally has components in place to catch/parse?
> 
FYIW short-circuit kicked in when the clamav plugin hit. I'm running the
third party sigs and it hit on Sanesecurity.Hdr.8239.UNOFFICIAL.

-- 
KeyID 0xE372A7DA98E6705C



signature.asc
Description: This is a digitally signed message part

Re: sneaky pharma spam shooting past standard rules

[John Hardin]

On Thu, 15 Oct 2009, LuKreme wrote:


On 15-Oct-2009, at 17:57, LuKreme wrote:

smtpd_helo_restrictions = permit_mynetworks,
 reject_invalid_helo_hostname,
 reject_non_fqdn_helo_hostname,
 permit


Oh, and for the record, on my mail server these two restrictions stop 
50% of all attempted connections. That's 50% that don't even make it to 
transaction, much less to SpamAssassin.


I haven't run the numbers, but that sounds about like what I'm seeing too.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Win95: Where do you want to go today?
  Vista: Where will Microsoft allow you to go today?
---
 14 days since a sunspot last seen - EPA blames CO2 emissions

Re: sneaky pharma spam shooting past standard rules

[LuKreme]

On 15-Oct-2009, at 17:57, LuKreme wrote:

smtpd_helo_restrictions = permit_mynetworks,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
permit



Oh, and for the record, on my mail server these two restrictions stop  
50% of all attempted connections. That's 50% that don't even make it  
to transaction, much less to SpamAssassin.


--
Oh, he's just like any other man, only more so.

Re: sneaky pharma spam shooting past standard rules

[LuKreme]

On 15-Oct-2009, at 17:31, MySQL Student wrote:

Kurt, can you explain how you're doing it with postfix?


Sorry, pasted the wrong thing in the previous email.

smtpd_helo_restrictions = permit_mynetworks,
reject_invalid_helo_hostname,
reject_non_fqdn_helo_hostname,
permit


--
Rincewind had always been happy to think of himself as a racist.
The One Hundred Meters, the Mile, the Marathon -- he'd run them
all.

Re: sneaky pharma spam shooting past standard rules

[LuKreme]

On 15-Oct-2009, at 17:31, MySQL Student wrote:


Hi,


With this:

 Received: from public30108.xdsl.centertel.pl (HELO
marcin-8963fd6f) (79.163.117.156)

my postfix setup would have simply dropped it on the floor at the
HELO/EHLO. If it doens't HELO with an FQDN and a proper rDNS, we  
don't

talk to it.


Kurt, can you explain how you're doing it with postfix?


I'm not kurt, but how about

 reject_unknown_sender_domain

That's what I use.

--
Oh never resist an impulse, Sabrina. Especially if it's terrible.

Re: sneaky pharma spam shooting past standard rules

[Adam Katz]

Rick Knight wrote:
> John,
> 
> What are using to filter on HELO-no-dots? I've looked at milter-regex,
> but I can't get it to build on my slackware 12 system.

That would be the __HELO_NO_DOMAIN rule, modified from vanilla 3.2.5
by updates.spamassassin.org to something less useful and then reverted
back by Justin Mason in subversion, see
http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/jm/20_basic.cf?revision=825439&view=markup#l84

Scoring at http://ruleqa.spamassassin.org/week/__HELO_NO_DOMAIN/detail
>> MSECSSPAM% HAM% S/ORANK   SCORE  NAME
>> 0  19.9863   1.1186   0.9470.61   (n/a)  __HELO_NO_DOMAIN

Included in khop-general (be wary of wrapping):

# from SVN at rulesrc/sandbox/jm/20_basic.cf
header __HELO_NO_DOMAIN
X-Spam-Relays-External =~ /^[^\]]+ helo=[^\.]+ /

meta  KHOP_NO_FQDN   __HELO_NO_DOMAIN && (RDNS_NONE || RDNS_DYNAMIC)
describe KHOP_NO_FQDN  HELO: not a domain, no static reverse DNS on IP
score KHOP_NO_FQDN 0.5 # 20090603

I used  (RDNS_NONE || RDNS_DYNAMIC)  in an attempt to limit the damage
to ham ... my recollection is that the rulesqa stats were less
favorable when I wrote the rule back in June.  I saved a copy of
__HELO_NO_DOMAIN spam/ham hits over time (those disappear
occasionally) at http://yfrog.com/athelonodomainhist2009101g -- it
does appear to have had more FPs.

This rule needs to be revisited as it doesn't hit anything despite the
fact that it blends only high-traffic rules:

rule my spam%   corpus%  %of RDNS_NONE   %of RDNS_DYN
__HELO_NO_FQDN   unknown 20.0%86%<21%
RDNS_NONE 18.8%  57.6%   100%  0%
RDNS_DYNAMIC   9.9%  25.6% 0%100%
KHOP_NO_FQDN   0.1% unknown (2.2%)(0%)

If you're wondering why these are so low ... I use greylisting, which
is specifically good at picking out what these rules catch.  Assuming
86% overlap with RDNS_NONE (and no overlap with RDNS_DYNAMIC),
KHOP_NO_FQDN would catch 50% of the spam corpus, which is serious
stuff, but using my own overlap number of 2.2%, that's 1.27%, which
might not be so bad.  (Parenthesis are my own data since no data for
the masscheck is available.)

Re: sneaky pharma spam shooting past standard rules

[MySQL Student]

Hi,

> With this:
>
>      Received: from public30108.xdsl.centertel.pl (HELO
> marcin-8963fd6f) (79.163.117.156)
>
> my postfix setup would have simply dropped it on the floor at the
> HELO/EHLO. If it doens't HELO with an FQDN and a proper rDNS, we don't
> talk to it.

Kurt, can you explain how you're doing it with postfix?

Thanks,
Alex

Re: dns query timed out while sa-update

[Matthias Leisi]

wild_oscar schrieb:

> I might leave it at that. The problem that I've been scratching my head
> about is why does it work when using the nameserver directly but not when
> using the router's IP address, which is forwarding to the same address.
> It might be a problem with the router, although it is a brand new d-link
> dva-g3170i.

Cheap consumer-level routers tend to do funny things. Drop connections,
unable to establish new connections, malformed/missing DNS responses...

It is usually helpful to actually use dig for diagnosis of DNS issues,
and pay attention to which DNS server is actually delivering results to
your resolver.

-- Matthias

Re: SpamAssassin is not a meat butcher

[Adam Katz]

LuKreme wrote:
> SpamArrest WON THEIR TRADEMARK.

And for that I am glad.

Perhaps my personal stance was improperly gauged; I understand
Hormel's stance and actions, though I wouldn't support their legal
actions and I sided with SpamArrest's fair usage given Hormel's stated
policies.  I see nothing wrong with electronic filtering programs and
devices having either "Spam" or "spam" in their title (though "SPAM"
is questionable) as it is difficult to confuse with Hormel's markets.

> Hormel only stopped acting like total asshats after they lost all
> their court cases.
> 
> This is just revisionist. Hormel was frothing for several years
> there threatening anyone and everyone who referred to spam as spam.

Hormel's official stance looks unchanged since before that trial:
http://www.dmnews.com/Eat-SPAM-Say-Spam-Just-Dont-Try-to-Trademark-Spam-Hormel/article/81424/

Perhaps their lawsuits warrant removing "gracious" from aptly
describing them, but the policy still stands today.  Heck, it's even
profitable ... outside of Hawaii, every purchase I've seen* of SPAM
has been for novelty or exploratory purposes, inspired by email spam.


Getting back to my original point, spam in our context should be
treated as a noun or adjective rather than a proper noun or "proper
adjective" (Hormel's suggested notation for their product is an
all-caps adjective).  It should be capitalized only when leading a
sentence or within the name of a product as its name dictates
(SpamAssassin, SPAM, SpamArrest, spam.  Spam leading a sentence).


* Note, I don't hang around Hormel's target audience or otherwise have
interest in Nascar.

Re: [SA] sneaky pharma spam shooting past standard rules

[Benny Pedersen]

On Thu 15 Oct 2009 09:43:52 PM CEST, Adam Katz wrote


# @Mike Cappella on sa-users, 20090806 20:50 UTC + 20090822 at 18:19
header   MC_TAB_IN_FROMFrom:raw =~ /^\t/m
describe MC_TAB_IN_FROMFrom: Contains a tab
scoreMC_TAB_IN_FROM0.6  # 20091015, considering bump to 1.2


also tab on date

maybe mata both so

--
xpoint

Re: sneaky pharma spam shooting past standard rules

[John Hardin]

On Thu, 15 Oct 2009, Matus UHLAR - fantomas wrote:


What are using to filter on HELO-no-dots?


I'm using milter-regex. My sample config is here:

  http://www.impsec.org/~jhardin/antispam/

What is your MTA if it's not sendmail? It may have a similar
capability built in.


On 15.10.09 10:22, Rick Knight wrote:

I'm using Sendmail and I've built it with milter support.


use

FEATURE(`block_bad_helo')

in sendmail.mc


Has it been made easier to exclude netblocks - like your local network - 
from that check? You don't want to do HELO rejects on mail originating 
from local network MUAs that are misconfigured.


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  I would buy a Mac today if I was not working at Microsoft.
  -- James Allchin, Microsoft VP of Platforms
---
 14 days since a sunspot last seen - EPA blames CO2 emissions

Re: sneaky pharma spam shooting past standard rules

[Benny Pedersen]

On Thu 15 Oct 2009 09:24:44 PM CEST, Matus UHLAR - fantomas wrote


FEATURE(`block_bad_helo')
in sendmail.mc


if i remember sendmail it need to be added in sendmail.m4 and when  
saved, m4 sendmail.m4 will create sendmail.mc


--
xpoint

Re: [SA] sneaky pharma spam shooting past standard rules

[Adam Katz]

Jari Fredriksson wrote:
>  1.0 RCVD_IN_BRBL_LASTEXT   RBL: Received via a relay in Barracuda BRBL
>  0.9 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL
>  1.7 RCVD_IN_HOSTKARMA_BL   RBL: HostKarma: relay in black list
>  0.0 PRICES_ARE_AFFORDABLE  BODY: Message says that prices aren't too
>  0.3 KHOP_HELO_FCRDNS   Relay HELO differs from its IP's reverse DNS
>  1.2 KHOP_2IPS_RCVD Received: Relay identifies itself as wrong IP
>  6.0 L_TAB_IN_FROM  L_TAB_IN_FROM
>  4.0 BOTNET Relay might be a spambot or virusbot
>  2.0 BAYES_80   BODY: Bayesian spam probability is 80 to 95%
>  1.0 HTML_MESSAGE   BODY: HTML included in message
>  2.0 KHOP_DNSBL_BUMPHits a trusted non-overlapping DNSBL

Of those 20.2 points, 2.9 are from stock SA, and the 2.0 from Bayes
doesn't count in helping people's configs.  HTML_MESSAGE is dangerous
to bump up to 1.0 ... MIME_HTML_ONLY (1.5) takes care of most of the
HTML-based spam, while HTML_MESSAGE will trip over almost everything
(it hit 87% of the masscheck spam but also hit 27% of the ham), see
http://ruleqa.spamassassin.org/week/HTML_MESSAGE/detail

Of the remaining points, my channels (see link in my sig) contributed
6.2 by bringing in BRBL and HostKarma (plus DNSBL_BUMP) plus my other
rules like 2IPS (though the original post had "IN_BCUDA_RBL" plus some
rules penalizing mail from New Zealand).

The rest comes from BotNet and whatever L_TAB_IN_FROM is.
Google directs me to a post to this list from two months ago
(2009/08/22 18:19 UTC and 2009/08/06 20:50 UTC, both from Mike Cappella).

A score of 6 is FREAKISHLY high, even for something with a very low FP
rate.  I'd score that around 1.2 if I trusted it.  I like it, so I'm
throwing it in khop-general as MC_TAB_IN_FROM scoring at 0.6 for now:

# @Mike Cappella on sa-users, 20090806 20:50 UTC + 20090822 at 18:19
header   MC_TAB_IN_FROMFrom:raw =~ /^\t/m
describe MC_TAB_IN_FROMFrom: Contains a tab
scoreMC_TAB_IN_FROM0.6  # 20091015, considering bump to 1.2

-- 
Adam Katz
khopesh on irc://irc.freenode.net/#spamassassin
http://khopesh.com/Anti-spam

Re: SpamAssassin is not a filter

[LuKreme]

On 15-Oct-2009, at 13:21, Adam Katz wrote:

LuKreme wrote:

On 15-Oct-2009, at 12:40, Adam Katz wrote:

They've been very gracious to our community so far,


Since they stopped trying to sue everyone?

No wait, they didn't stop, they just lost their lawsuits.

Yeah, not really seeing that 5 year legal battle with SpamArrest as
gracious, myself. I suspect SpamArrest and there more than
$500,000 in legal bills would agree. Neither would other victims of
Hormel's sue-happy camp of lawyers (EarthLink, Postini, et al).

Gracious?


If they were not gracious, they would have taken a firmer stance
against any use of their SPAM brand pertaining to email.


Firmer than suing everyone in sight?


Hormel does not…


now that we have been bitch-slapped by the courts numerous times and  
lost our long and bloody trademark exclusivity battle against SpamArrest



…object to the term, but insists that it be spelled
in lower case so as to distinguish it



If you own a company trying to *trademark* something with the word
"Spam" in it (e.g. "SpamArrest"), that infringes upon their trademark.
If you own a company with a product with the word "Spam" in it and
you don't try to trademark it (e.g. SpamAssassin, SpamCop), they won't
pursue (as it would be along fair use law rather than trademark law).


SpamArrest WON THEIR TRADEMARK.

Hormel only stopped acting like total asshats after they lost all  
their court cases.


This is just revisionist. Hormel was frothing for several years there  
threatening anyone and everyone who referred to spam as spam.


--
I'll trade you 223 Wesley Crushers for your Captain Picard

Re: sneaky pharma spam shooting past standard rules

[Kurt Buff]

On Thu, Oct 15, 2009 at 08:38, Jason Haar  wrote:
> I just received what appeared to be a standard "certain north american
> country" pharma spam that went straight by rules I have that normally
> catch it. Within Thunderbird (and any other HTML-capable MUA) it's
> blatantly shouting its wares.  Clever usage of SPANs appear to enable it
> to sneak straight by SA.
>
> http://pastebin.com/m56d2db96
>
> Is this something SA normally has components in place to catch/parse?
>
> --

With this:

  Received: from public30108.xdsl.centertel.pl (HELO
marcin-8963fd6f) (79.163.117.156)

my postfix setup would have simply dropped it on the floor at the
HELO/EHLO. If it doens't HELO with an FQDN and a proper rDNS, we don't
talk to it.


Kurt

Re: sneaky pharma spam shooting past standard rules

[Matus UHLAR - fantomas]

>>> What are using to filter on HELO-no-dots?
>>
>> I'm using milter-regex. My sample config is here:
>>
>>   http://www.impsec.org/~jhardin/antispam/
>>
>> What is your MTA if it's not sendmail? It may have a similar  
>> capability built in.

On 15.10.09 10:22, Rick Knight wrote:
> I'm using Sendmail and I've built it with milter support. I've looked at  
> your milter-regex config and it looks like something I want to  
> implement. I downloaded milter-regex, but I can't get it to build. I'll  
> email you directly with the errors I'm getting.

use

FEATURE(`block_bad_helo')

in sendmail.mc
-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
I feel like I'm diagonally parked in a parallel universe. 

Re: [SA] SpamAssassin is not a filter

[Adam Katz]

LuKreme wrote:
> On 15-Oct-2009, at 12:40, Adam Katz wrote:
>> They've been very gracious to our community so far,
> 
> Since they stopped trying to sue everyone?
> 
> No wait, they didn't stop, they just lost their lawsuits.
> 
> Yeah, not really seeing that 5 year legal battle with SpamArrest as
> gracious, myself. I suspect SpamArrest and there more than
> $500,000 in legal bills would agree. Neither would other victims of
> Hormel's sue-happy camp of lawyers (EarthLink, Postini, et al).
> 
> Gracious?

If they were not gracious, they would have taken a firmer stance
against any use of their SPAM brand pertaining to email.

Hormel's policy has always been to protect their trademark.  They do
NOT otherwise object to the non-capitalized use of the word "spam."
Wikipedia sums it up nicely:

> Hormel does not object to the term, but insists that it be spelled
> in lower case so as to distinguish it from its capitalized SPAM
> trademark. Hormel objects to Spam's "product identity" (for
> example, images of Spam cans) being used in relation to spamming,
> and has filed lawsuits against companies which have attempted to
> trademark words containing "Spam".

If you own a company trying to *trademark* something with the word
"Spam" in it (e.g. "SpamArrest"), that infringes upon their trademark.
 If you own a company with a product with the word "Spam" in it and
you don't try to trademark it (e.g. SpamAssassin, SpamCop), they won't
pursue (as it would be along fair use law rather than trademark law).

If a company wanted to register a trademark like "Lewis Butler
Productions," you (LuKreme, Lewis Butler) would be able to sue them
for infringing the implicit trademark you own on your name.  You'd
have a lot harder a time suing a company to rename a product called
"Lewis Butler Filter."

Re: [sa] sneaky pharma spam shooting past standard rules

[John Hardin]

On Thu, 15 Oct 2009, Charles Gregory wrote:

Ah, the old SPAN trick. I haven't seen it, so I imagine my old code is 
still catching them. LOL


None of the existing FLOAT rules caught these.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  W-w-w-w-w-where did he learn to n-n-negotiate like that?
---
 14 days since a sunspot last seen - EPA blames CO2 emissions

Re: SpamAssassin is not a filter

[LuKreme]

On 15-Oct-2009, at 12:40, Adam Katz wrote:

They've been very gracious to our community so far,



Since they stopped trying to sue everyone?

No wait, they didn't stop, they just lost their lawsuits.

Yeah, not really seeing that 5 year legal battle with SpamArrest as  
gracious, myself. I suspect SpamArrest and there more than $500,000 in  
legal bills would agree. Neither would other victims of Hormel's sue- 
happy camp of lawyers (EarthLink, Postini, et al).


Gracious?

--
I find your lack of faith disturbing.

Re: [SA] SpamAssassin is not a filter

[Adam Katz]

RW wrote:
>> So I suggest changing the wording of that paragraph to replace
>> "filter" with "classifier":
> 
> I can't do any harm, but I doubt it would make much difference because
> not many people would read it and I think most ordinary users regard
> it as a fairly pedantic distinct anyway.
> 
> If "SpamAssassin is not a filter", then "Ceci n'est pas une pipe".

The item of note is that SpamAssassin cannot direct mail between
folders or accounts and cannot delete mail.  It marks up messages that
qualify as "spam" and no more.

As to what specific word to say SA is or is not... we should use
whatever best states that to the largest portion of newcomers.
Hopefully there won't be too many differing opinions on what that is.

I'd personally go with "markup" or "flag" rather than "filter" or
"classifier" as I think it's harder to interpret those erroneously.

"SpamAssassin ... serves as a tool to flag incoming mail as spam."
or
"SpamAssassin ... serves as a mail markup tool to identify spam."

I like Kenneth's adjustment on the final sentence in that quote.


I also wouldn't capitalize "spam" unless referring to Hormel's brand
of canned products.  They've been very gracious to our community so
far, so I'd like to return the favor.  Losing the capitalization
implies use of the word as a dictionary word rather than a proper
noun.  Brands that have lost their place as a proper noun (e.g.
http://en.wikipedia.org/wiki/Xerox#Trademark ) risk losing their
trademark privileges.

Re: [sa] sneaky pharma spam shooting past standard rules

[Charles Gregory]

Ah, the old SPAN trick. I haven't seen it, so I imagine my old code is 
still catching them. LOL


The key to this trick is the spammer tries to insert 'invisible' text.
Either very small font size, as in your example, or colors that match the 
background, or both, so that the intended wording merely appears a little 
'gappy' to the human eye. Also watch for use of the style 'visibility' 
attribute with either DIV or SPAN. Usually appears in the same 'batch' of 
spams :)


- Charles


On Thu, 15 Oct 2009, Jason Haar wrote:

I just received what appeared to be a standard "certain north american
country" pharma spam that went straight by rules I have that normally
catch it. Within Thunderbird (and any other HTML-capable MUA) it's
blatantly shouting its wares.  Clever usage of SPANs appear to enable it
to sneak straight by SA.

http://pastebin.com/m56d2db96

Is this something SA normally has components in place to catch/parse?

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: sneaky pharma spam shooting past standard rules

[Rick Knight]

John Hardin wrote:

On Thu, 15 Oct 2009, Rick Knight wrote:


John Hardin wrote:


27. Received: from public30108.xdsl.centertel.pl (HELO 
marcin-8963fd6f)

 (79.163.117.156)
28.   by mailsrv1.trimble.co.nz with SMTP; 16 Oct 2009 04:09:42 
+1300


 You might want to consider instituting a HELO-no-dots reject at SMTP
 time on your MTA. That rejects a _ton_ of garbage here.


What are using to filter on HELO-no-dots?


I'm using milter-regex. My sample config is here:

  http://www.impsec.org/~jhardin/antispam/

What is your MTA if it's not sendmail? It may have a similar 
capability built in.


I've looked at milter-regex, but I can't get it to build on my 
slackware 12 system.


That is surprising. What errors are you getting? (That's OT for SA, 
feel free to contact me directly if you want and I'll see if I can help.)



Thanks John,

I'm using Sendmail and I've built it with milter support. I've looked at 
your milter-regex config and it looks like something I want to 
implement. I downloaded milter-regex, but I can't get it to build. I'll 
email you directly with the errors I'm getting.


Thanks,
Rick

Re: sneaky pharma spam shooting past standard rules

[John Hardin]

On Thu, 15 Oct 2009, Rick Knight wrote:


John Hardin wrote:


27. Received: from public30108.xdsl.centertel.pl (HELO marcin-8963fd6f)
 (79.163.117.156)
28.   by mailsrv1.trimble.co.nz with SMTP; 16 Oct 2009 04:09:42 +1300

 You might want to consider instituting a HELO-no-dots reject at SMTP
 time on your MTA. That rejects a _ton_ of garbage here.


What are using to filter on HELO-no-dots?


I'm using milter-regex. My sample config is here:

  http://www.impsec.org/~jhardin/antispam/

What is your MTA if it's not sendmail? It may have a similar capability 
built in.


I've looked at milter-regex, but I can't get it to build on my slackware 
12 system.


That is surprising. What errors are you getting? (That's OT for SA, feel 
free to contact me directly if you want and I'll see if I can help.)


--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Health Care _is_ a right - the government has no business keeping
  you from getting it. But forcing somebody else to pay for your
  health care at gunpoint (i.e. through taxation) is _not_ a right.
---
 14 days since a sunspot last seen - EPA blames CO2 emissions

Re: sneaky pharma spam shooting past standard rules

[Benny Pedersen]

On Thu 15 Oct 2009 06:08:02 PM CEST, John Hardin wrote


The spans do look suspicious, I'm putting a rule into my sandbox...


wonder if google knows about a tilde r user in the server

2 tilde chars in the url

double //

tidy finds some errors in html

--
xpoint

Re: sneaky pharma spam shooting past standard rules

[Benny Pedersen]

On Thu 15 Oct 2009 05:44:30 PM CEST, Jari Fredriksson wrote


http://pastebin.com/m56d2db96


spruceclose dot com redirect

listed in a number of bl now

from equal replyto

badrelay

--
xpoint

Re: sneaky pharma spam shooting past standard rules

[Rick Knight]

John Hardin wrote:

On Thu, 15 Oct 2009, Jason Haar wrote:


I just received what appeared to be a standard "certain north american
country" pharma spam that went straight by rules I have that normally
catch it. Within Thunderbird (and any other HTML-capable MUA) it's
blatantly shouting its wares.  Clever usage of SPANs appear to enable it
to sneak straight by SA.

http://pastebin.com/m56d2db96


   27. Received: from public30108.xdsl.centertel.pl (HELO 
marcin-8963fd6f) (79.163.117.156)

   28.   by mailsrv1.trimble.co.nz with SMTP; 16 Oct 2009 04:09:42 +1300

You might want to consider instituting a HELO-no-dots reject at SMTP 
time on your MTA. That rejects a _ton_ of garbage here.


The spans do look suspicious, I'm putting a rule into my sandbox...


John,

What are using to filter on HELO-no-dots? I've looked at milter-regex, 
but I can't get it to build on my slackware 12 system.


Thanks,
Rick

RE: exclude domain from server-wide

[Spamassassin List]

>> How do I exclude a domain from a server-wide envoirment?
>> 
>> 
> with magic words ? *g
>
> describe your mail spamassassin server setup ( cause there are 
> thousend ways which it might be implemented at your side ), then you 
> might get an answer

I am running a qmail + simscan + spamassassin + clamav on a centos 5.3.

Regards

Re: SpamAssassin is not a filter

[RW]

On Wed, 14 Oct 2009 17:24:03 -0700
Kenneth Porter  wrote:

> So I suggest changing the wording of that paragraph to replace
> "filter" with "classifier":

I can't do any harm, but I doubt it would make much difference because
not many people would read it and I think most ordinary users regard
it as a fairly pedantic distinct anyway.

If you were to say that someone was sent to prison by a DNA test, it's
not literally true, but you wouldn't expect to be corrected.

> I suspect the term "filter" was used because SA is indeed a "filter"
> in the unix sense of a program that runs in a pipeline that
> transforms its input. 


If "SpamAssassin is not a filter", then "Ceci n'est pas une pipe".

Re: sneaky pharma spam shooting past standard rules

[John Hardin]

On Thu, 15 Oct 2009, Jason Haar wrote:


I just received what appeared to be a standard "certain north american
country" pharma spam that went straight by rules I have that normally
catch it. Within Thunderbird (and any other HTML-capable MUA) it's
blatantly shouting its wares.  Clever usage of SPANs appear to enable it
to sneak straight by SA.

http://pastebin.com/m56d2db96


   27. Received: from public30108.xdsl.centertel.pl (HELO marcin-8963fd6f) 
(79.163.117.156)

   28.   by mailsrv1.trimble.co.nz with SMTP; 16 Oct 2009 04:09:42 +1300

You might want to consider instituting a HELO-no-dots reject at SMTP time 
on your MTA. That rejects a _ton_ of garbage here.


The spans do look suspicious, I'm putting a rule into my sandbox...

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Users mistake widespread adoption of Microsoft Office for the
  development of a document format standard.
---
 14 days since a sunspot last seen - EPA blames CO2 emissions

Re: sneaky pharma spam shooting past standard rules

[Jason Haar]

On 10/15/2009 09:44 AM, Jari Fredriksson wrote:
>
> Spam detection software, running on the system
> "wellington.fredriksson.dy.fi", has
> identified this incoming email as possible spam.  The original message
> ...

I assume you are trying to imply that SA does catch it. Well it has been
a while since *I* received it, and I guess it's now showing up in RBLs
(which is where all your score came from). What I was trying to ask
(poorly) was that I have a tonne of third-party add-on rules that catch
based on text-matching, and they are all failing due to those sneaky
 tricks it uses. I thought SA had an HTML parser that attempts to
remove some HTML tricks, and so was asking why SA was missing those. If
I edit that message and remove the SPAN-trick, suddenly text-rules
trigger all over the place.

Hopefully that makes more sense :-)

PS: L_TAB_IN_FROM is a new one on me

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: sneaky pharma spam shooting past standard rules

[Jari Fredriksson]

15.10.2009 18:38, Jason Haar kirjoitti:

I just received what appeared to be a standard "certain north american
country" pharma spam that went straight by rules I have that normally
catch it. Within Thunderbird (and any other HTML-capable MUA) it's
blatantly shouting its wares.  Clever usage of SPANs appear to enable it
to sneak straight by SA.

http://pastebin.com/m56d2db96

Is this something SA normally has components in place to catch/parse?




Spam detection software, running on the system
"wellington.fredriksson.dy.fi", has
identified this incoming email as possible spam.  The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email.  If you have any questions, see
the administrator of that system for details.

Content preview:  All customers know that �Can cfl adia gp nPha
tgj rmacy�
   online dru kjw gstore is the cheapest place to buy me co dica iih
tions online.
   Now it is confirmed by the results of survey taken by the Independent He
  lxq alth Orga cqp nization. [...]

Content analysis details:   (20.2 points, 5.0 required)

 pts rule name  description
 --
--
 1.0 RCVD_IN_BRBL_LASTEXT   RBL: Received via a relay in Barracuda BRBL
[79.163.117.156 listed in
bb.barracudacentral.org]
 0.9 RCVD_IN_PBLRBL: Received via a relay in Spamhaus PBL
[79.163.117.156 listed in zen.spamhaus.org]
 1.7 RCVD_IN_HOSTKARMA_BL   RBL: HostKarma: relay in black list
  [79.163.117.156 listed in
hostkarma.junkemailfilter.com]
 0.0 PRICES_ARE_AFFORDABLE  BODY: Message says that prices aren't too
expensive
 0.3 KHOP_HELO_FCRDNS   Relay HELO differs from its IP's reverse DNS
 1.2 KHOP_2IPS_RCVD Received: Relay identifies itself as wrong IP
 6.0 L_TAB_IN_FROM  L_TAB_IN_FROM
 4.0 BOTNET Relay might be a spambot or virusbot
[botnet0.8,ip=79.163.117.156,rdns=public30108.xdsl.centertel.pl,maildomain=ooshop.com,client,ipinhostname,clientwords]
 2.0 BAYES_80   BODY: Bayesian spam probability is 80 to 95%
[score: 0.9231]
 1.0 HTML_MESSAGE   BODY: HTML included in message
 2.0 KHOP_DNSBL_BUMPHits a trusted non-overlapping DNSBL

The original message was not completely plain text, and may be unsafe to
open with some email clients; in particular, it may contain a virus,
or confirm that your address can receive spam.  If you wish to view
it, it may be safer to save it to a file and open it with an editor.


--
http://www.iki.fi/jarif/


pgp7pBWC9H2jT.pgp
Description: PGP signature

sneaky pharma spam shooting past standard rules

[Jason Haar]

I just received what appeared to be a standard "certain north american
country" pharma spam that went straight by rules I have that normally
catch it. Within Thunderbird (and any other HTML-capable MUA) it's
blatantly shouting its wares.  Clever usage of SPANs appear to enable it
to sneak straight by SA.

http://pastebin.com/m56d2db96

Is this something SA normally has components in place to catch/parse?

-- 
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

Re: SpamAssassin is not a filter

[Ted Mittelstaedt]

Kenneth Porter wrote:

From :



SpamAssassin is a mature, widely-deployed open source project that serves
as a mail filter to identify Spam. SpamAssassin uses a variety of
mechanisms including header and text analysis, Bayesian filtering, DNS
blocklists, and collaborative filtering databases. SpamAssassin runs on a
server, and filters spam before it reaches your mailbox.


One of the frequent complaints from end users is that SA blocked some 
mail. And the standard answer is that SA doesn't block mail; some 
*other* program uses the results of SA's analysis to filter mail.


So I suggest changing the wording of that paragraph to replace "filter" 
with "classifier":



SpamAssassin is a mature, widely-deployed open source project that serves
as a mail classifier to identify Spam. SpamAssassin uses a variety of
mechanisms including header and text analysis, Bayesian filtering, DNS
blocklists, and collaborative filtering databases. SpamAssassin runs on a
server, allowing other programs to filter spam before it reaches your
mailbox.


I suspect the term "filter" was used because SA is indeed a "filter" in 
the unix sense of a program that runs in a pipeline that transforms its 
input. But that's a technical detail that doesn't really describe what 
SA *does*.


I would submit that when the typical end-user reads the above 
description of SA that it gets over their head and they stop reading

somewhere right after "...open source project that serves..."

If end users are complaining that SA blocked mail it's because the
admin, for reasons of linguistic convenience, has elected to use
easily-understood verbiage when describing how the e-mail system
works.

Users like it simple.  They don't want to be told that "a collection
of programs made a group decision to block that message"   They don't
want to be told "well, this program is a classifier, this program
is a transfer program, this program moves mail around as a result of
earlier classifiers" etc. etc.

They want to be told "your mail was blocked by a 'thang' and if your
missing mail, tell us about it"

If the admin substitutes the name SpamAssassin for "thang" then of
course the users will complain about SA.

Ted

Re: dns query timed out while sa-update

[wild_oscar]

Karsten Bräckelmann-2 wrote:
> 
> 
> A good first attempt would be, to ask the opendns DNS servers directly,
> getting rid of the router in the picture.
> 
>   $ dig @208.67.222.222 5.2.3.updates.spamassassin.org txt
> 

Yes, that one I had already tried and works.

Also, using that opendns' server as nameserver in resolve.conf also solves
the issue.

I might leave it at that. The problem that I've been scratching my head
about is why does it work when using the nameserver directly but not when
using the router's IP address, which is forwarding to the same address.
It might be a problem with the router, although it is a brand new d-link
dva-g3170i.

-- 
View this message in context: 
http://www.nabble.com/dns-query-timed-out-while-sa-update-tp21604925p25909141.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: exclude domain from server-wide

[Robert Schetterer]

Spamassassin List schrieb:
> Hi,
> 
> How do I exclude a domain from a server-wide envoirment?
> 
> regards
> 
> 
> 
with magic words ? *g

describe your mail spamassassin server setup ( cause there are thousend
ways which it might be implemented at your side ), then you might get an
answer

-- 
Best Regards

MfG Robert Schetterer

Germany/Munich/Bavaria

exclude domain from server-wide

[Spamassassin List]

Hi,

How do I exclude a domain from a server-wide envoirment?

regards

Date in report safe page

[Jari Fredriksson]

It seems that SpamAssassin attaches the Date header from the original
(attached) email when it creates the announcement email.

Would it be better to create a new current Date for the "new" email? The
idea here is to fix forged Date, as it often is. I sort my mail with
Date, and hate when the spammer gets to manipulate my email list.

Dumb idea?

--
http://www.iki.fi/jarif/

Your domestic life may be harmonious.


pgpd4WXS0piG9.pgp
Description: PGP signature

Re: Mismarked Ham

[Matus UHLAR - fantomas]

> > What makes you think any of the rules are incorrect? A score of 6.1 is not
> > 100% (or even 99%, IIRC) spam.

On 14.10.09 22:40, MySQL Student wrote:
> Incorrect in that at least one of the rules fired when they should not
> have, making the valid email to be marked as spam.

Or maybe they didn't fire when they should have.
Or maybe the scores are not properly set.

However I advised you to upgrade Mail::DKIM
-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Save the whales. Collect the whole set.

Re: Mismarked Ham

[Matus UHLAR - fantomas]

> On 14-Oct-2009, at 19:40, MySQL Student wrote:
>> Which rule(s) is then incorrect? What is the right solution here? Is
>> the only option to whitelist the user?

On 14.10.09 19:54, LuKreme wrote:
> What makes you think any of the rules are incorrect? A score of 6.1 is  
> not 100% (or even 99%, IIRC) spam.
>
> your spam test were:
>
> X-Spam-Status: Yes, hits=6.1 tag1=-300.0 tag2=5.0 kill=5.0
>  use_bayes=1 tests=BAYES_00, DKIM_SIGNED, EXTRA_MPART_TYPE,  
> FREEMAIL_FROM,
>  HTML_MESSAGE, L_UNVERIFIED_GMAIL, PART_CID_STOCK, RELAYCOUNTRY_HIGH,
>  RELAYCOUNTRY_US, SPF_HELO_PASS, SPF_PASS, TVD_FW_GRAPHIC_NAME_LONG,
>  T_TVD_FW_GRAPHIC_ID1
>
> there's a couple of things here.
>
> First, for some reason you have DKIM_SIGNED but not DKIM_VERIFIED, which 
> seems odd as this looks like a legit gmail message with a legit DKIM 
> signature. So there's one thing to check.

I think there was problem with the DKIM package in the past, resulting to
exactly this problem. OP should upgrade his Mail::DKIM module.

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fighting for peace is like fucking for virginity...