sought rules
Have I missed something? I used to pull the sought rules daily, but nothing seems to have changed since 2 Nov. Is that expected behaviour? ==John ffitch
RE: [Fwd: Re: Getting off the Cloudmark formerly spamnet blacklist]
Michael Scheidell wrote: ...omissis... If our clients were DELIBERATELY spamming, say they thought they were going to send out a marketing mail or some such, then you would be correct. But they were not. They were simply using the largest software company on Earth's products - Microsoft - like everyone else in the world who has those products do. I have a Mac G4 running OSX sitting on my desk here, next to my Windows box. I also have a FreeBSD system running FreeBSD6 and firefox 3 in the other room. On either of those systems I could have done EXACTLY THE SAME THING that the user at this client who got cracked into did - I could have opened the same e-mails, gone to the same websites, etc. - and I WOULDN'T have been cracked. So, explain again why this was THEIR fault? Don't you think that the botnet writer has just a tiny tiny bit of blame here? What about the software developer being paid more money than God sitting up in a nice comfortable office in Redmond who wrote that piece of shit that our client was using, and included dozens of security holes that are exploited by botnet writers, don't you think that HE has just a tiny tiny bit of culpability? Every other current production operating system on the face of the earth doesn't seem to be regularly hijacked by spammers. So, why are you going to give Microsoft a pass? Why exactly is it that when a user of Microsoft Windows doesn't apply patches that it's their fault when their system is cracked? What exactly do you think a patch IS? If their system had been written properly in the beginning it wouldn't need to be patched. If they weren't logged in as administrator - which is necessary for Windows desktop systems since most Windows software developers are shit-ass lazy bastards who ignore the Microsoft directives about writing usermode programs so they don't have to run as the root, I mean administrative, user to get any functionality out of them - then even if they had been cracked it would only be their profile trashed, and the bot wouldn't go any further. If you write software for Apple and you do it in such a way that your MacOS X software requires root access to run, then if your software gets ANY amount of visibility, you will get a call from Apple politely trying to educate you, and if you ignore this then they get nasty, and if you ignore that, then they publically speak against your software - and then all the Apple users will stop buying your shit, and you will be out of business. What, you think Microsoft has LESS pull than Apple in this area, and couldn't do the same thing? In the last 3-4 years there's been less than 5 root-exploitable holes in Apache - which is arguably the most popular UNIX program ever, and is installed on the most Unix systems in the world - yet Apache isn't even installed on all of them. I can't remember when the last root-exploit came out for a program that is enabled on FreeBSD out of the box - it might have been the Telnet bug so many years ago. Yet, every week there's DOZENS of security patches that MS releases for XP and Vista and soon, Windows 7. So, please save your moralizing. Microsoft is the richest software company in the world, they get PAID REAL MONEY by everyone that uses their crap - yet they can't produce a secure OS to save their lives. By contrast, Debian, Ubuntu, FreeBSD, OpenBSD - all UNPAID, and all ROUTINELY release os's that are not attackable by botnets. And Apple used FreeBSD as it's base for Darwin - and they ALSO have no problems in this regard either. Please, name 5 viruses that routinely attack MacOSX. Our clients retain outside expertise because THEY KNOW THEY ARE BONEHEADS when it comes to software. And, your expecting boneheads to actually see through the ten thousand tons of marketing BULLCRAP that Microsoft's bowl movements dump on the business world every year, claiming their stuff is so great, so secure, so all-fired-wonderful? You say the world really needs to protect itself from botnets? Jesus, I think the world REALLY needs to protect itself from MICROSOFT. They OBVIOUSLY have absolutely NO SENSE WHATSOEVER of responsibility for the piece-o-shit, holey as swiss cheese, crapware that they stick up the collective ass of the world's businesses every year. I can almost excuse the botnet writers - they at least are amoral sociopaths and are doing EXACTLY as I would expect criminals to behave. But, Microsoft couldn't be more two-faced if every one of their employees had eyes, ears, nose and a mouth on the back of their heads. They EVEN HAD a secure security model - remember NT 3.51? You know, the ONLY version of Windows where ring 0 was separated from usermode programs? And they chucked that out with NT4 when they pushed the video system into ring 0 so that crap-ass games could run faster. Who cares that it allowed malware to take over the system.
Re: Regex Question
* rahlqu...@gmail.com rahlqu...@gmail.com: As said before blocking at the MTA would be less resource intensive but I want the whole message to feed bayes. But you already KNOW you don't want that stuff :) No need to poison your bayesdb with that... As for Ralf and his lightly gruff response, its to be expected when asking for help on the net and I grew my thick skin 8 years ago asking questions on setting up SMTP Auth on the Sendmail list. Compared to some of the folks there Ralf nearly blew me a kiss. I was not trying to be rude. I just want to keep things simple. -- Ralf Hildebrandt Geschäftsbereich IT | Abteilung Netzwerk Charité - Universitätsmedizin Berlin Campus Benjamin Franklin Hindenburgdamm 30 | D-12203 Berlin Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962 ralf.hildebra...@charite.de | http://www.charite.de
Re: Development dead
On 04.11.2009 / 09:20:16 -0500, Bowie Bailey wrote: polloxx wrote: Hi, Is the spamassassin development dead? On the website there's: 2008-06-12: SpamAssassin 3.2.5 has been released. Not quite. If you look at svn, you'll see this: spamassassin_20091103151200.tar.gz03-Nov-2009 15:122.1M Doesn't look dead to me! :) Hello! Can you please post a full URL to this archive? Since http://svn.apache.org/snapshots/spamassassin/ doesn't have it.
possible Kerio msg-id bork
Anybody here using some flavour of Kerio Mail Server... pls get back to me, offlist! thanks AXB
Re: Development dead
Anatoly Pugachev wrote: On 04.11.2009 / 09:20:16 -0500, Bowie Bailey wrote: polloxx wrote: Hi, Is the spamassassin development dead? On the website there's: 2008-06-12: SpamAssassin 3.2.5 has been released. Not quite. If you look at svn, you'll see this: spamassassin_20091103151200.tar.gz03-Nov-2009 15:122.1M Doesn't look dead to me! :) Hello! Can you please post a full URL to this archive? Since http://svn.apache.org/snapshots/spamassassin/ doesn't have it. The snapshots directory is automatically built and old versions are purged. The November 3rd image is gone. Now we've got ones from the 10th and 11th. By the time you look at it again, these might be gone and newer ones may have replaced them. [ ] spamassassin_20091110151200.tar.gz 10-Nov-2009 15:12 2.1M [ ] spamassassin_20091110211200.tar.gz 10-Nov-2009 21:12 2.1M [ ] spamassassin_2009031200.tar.gz 11-Nov-2009 03:12 2.1M [ ] spamassassin_2009091200.tar.gz 11-Nov-2009 09:12 2.1M However, if you're really just looking to gauge development activity, it would be better to look at the list archives of all the SVN commits. http://mail-archives.apache.org/mod_mbox/spamassassin-commits/ or, for the current month of November 2009, sorted by date: http://mail-archives.apache.org/mod_mbox/spamassassin-commits/200911.mbox/date
Re: sought rules
john ffitch wrote: Have I missed something? I used to pull the sought rules daily, but nothing seems to have changed since 2 Nov. Is that expected behaviour? ==John ffitch No, that's not expected behavior... On Thu, 5 Nov 2009, Justin Mason wrote: Right now, SOUGHT appears to be broken. I need to get to where the server is currently and fix it -- I don't have remote login to it at the mo :( And that's about all we know at the moment. -- Bowie
RE: JMF_W URIBL_BLACK
This just becomes increasingly important when management drops an email in the Put Spam Here folder for training that clearly isn't spam, but something they've subscribed to, like a newsletter. For the email that even I question sometimes, I'd like to be able to give them a definitive answer as to why it is or isn't spam. This week, the president of the company told me to Block all emails with deserve in it! *sigh* I had to school him on the fine art of antispam techniques with examples like: We deserve better servers.. Our health care coverage deserves to be fired... The IT guys deserve a raise... :) --Chris
Re: JMF_W URIBL_BLACK
This just becomes increasingly important when management drops an email in the Put Spam Here folder for training that clearly isn't spam, but something they've subscribed to, like a newsletter. For the email that even I question sometimes, I'd like to be able to give them a definitive answer as to why it is or isn't spam. On 11.11.09 09:34, Chris Santerre wrote: This week, the president of the company told me to Block all emails with deserve in it! *sigh* I had to school him on the fine art of antispam techniques with examples like: We deserve better servers.. Our health care coverage deserves to be fired... The IT guys deserve a raise... I really wonder if THESE did convince him of NOT blocking such e-mail ;-) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Spam is for losers who can't get business any other way.
Re: Hostkarma: to be or not to be in SA defaults
On Donnerstag 01 Oktober 2009 Marc Perkel wrote: I guess that if HOSTKARMA were included in the default build then I will need more mirrors to handle the load. If that is wanted, I could talk to ISPs for hosting such DNS here in Austria. After all, we are all getting advantages from this, and as long as it's a free service, I can offer free mirrors. mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660 / 415 65 31 .network.your.ideas. // PGP Key: curl -s http://zmi.at/zmi.asc | gpg --import // Fingerprint: AC19 F9D5 36ED CD8A EF38 500E CE14 91F7 1C12 09B4 // Keyserver: wwwkeys.eu.pgp.net Key-ID: 1C1209B4
Re: false positive on hostkarma blacklist
On Mittwoch 21 Oktober 2009 Marc Perkel wrote: Michael Monnerie wrote: http://ipadmin.junkemailfilter.com/remove.php?ip=62.40.128.130 Just received this FP from a customer. That IP is indeed an MX for kabsi.at, a big cable provider in Austria. Please put it on YELLOW. Please, Marc, you fixed above IP, but now this one is on the blacklist: 62.40.128.131 It's the following IP, and the reverse shows 62.40.128.130 mx02.kabsi.at 62.40.128.131 mx04.kabsi.at When someone reports an ISP, and they name their MX in a very readable way, you should automatically check for mx01 and mx03, mx05, ... automatically: 195.202.128.130 mx03.kabsi.at 195.202.128.131 mx05.kabsi.at Please put all these on YELLOW. mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660 / 415 65 31 .network.your.ideas. // PGP Key: curl -s http://zmi.at/zmi.asc | gpg --import // Fingerprint: AC19 F9D5 36ED CD8A EF38 500E CE14 91F7 1C12 09B4 // Keyserver: wwwkeys.eu.pgp.net Key-ID: 1C1209B4
Re: false positive on hostkarma blacklist
Another FP, reported some Monday from a customer: 212.62.57.38 == mtaout3.isp.ptt.rs Which is a clear sign for an ISP. So please, again, check also their mtaout1 ... mtaout9 or whatever and include all these in YELLOW. Also, I've offered you a list of ISPs MX from Austria. We have an ISP Associtation ( www.ispa.at ), and they keep that list actual. Do you want that for your YELLOW list? Maybe you can subscribe for receiving updates automatically, too... mfg zmi -- // Michael Monnerie, Ing.BSc- http://it-management.at // Tel: 0660 / 415 65 31 .network.your.ideas. // PGP Key: curl -s http://zmi.at/zmi.asc | gpg --import // Fingerprint: AC19 F9D5 36ED CD8A EF38 500E CE14 91F7 1C12 09B4 // Keyserver: wwwkeys.eu.pgp.net Key-ID: 1C1209B4
Re: sought rules
On Wed, Nov 11, 2009 at 14:04, Bowie Bailey bowie_bai...@buc.com wrote: john ffitch wrote: Have I missed something? I used to pull the sought rules daily, but nothing seems to have changed since 2 Nov. Is that expected behaviour? ==John ffitch No, that's not expected behavior... On Thu, 5 Nov 2009, Justin Mason wrote: Right now, SOUGHT appears to be broken. I need to get to where the server is currently and fix it -- I don't have remote login to it at the mo :( And that's about all we know at the moment. Yep -- sorry -- I got to reboot the server, but it appears to have not fixed the problem. Right now I'm not likely to be able to perform more investigation for a week or two. :( Sorry about this -- the perils of volunteer infrastructure! -- --j.
Re: sought rules
Justin Mason wrote: Yep -- sorry -- I got to reboot the server, but it appears to have not fixed the problem. Right now I'm not likely to be able to perform more investigation for a week or two. :( Sorry about this -- the perils of volunteer infrastructure! No problem. I've set scores for all the JM_SOUGHT* rules to zero until I start seeing updates again. -- Bowie
Re: sought rules
Hi, Yep -- sorry -- I got to reboot the server, but it appears to have not fixed the problem. Right now I'm not likely to be able to perform more investigation for a week or two. :( Sorry about this -- the perils of volunteer infrastructure! Where is it physically located? Isn't there someone in the area that you trust, or could trust, to go and fix it? I guess if there was, you would have done that, but I'm sure you could find some volunteers to put it up in a more centrally-located or managed location for the future, if you'd like. Off-site backup? At the least, I'm sure someone could contribute there. I've got a few servers, and would be happy to provide remote ssh/rsync access to someone, should you like. Best regards, Alex
spamd SIGCHLD
Dear Sirs, In reviewing log of SA I found that there are many messages of this type: [22109] info: spamd: handled cleanup of child pid 22384 due to SIGCHLD What is causing these messages? SA is installed on the server: ML110 G4 Intel(R) Pentium(R) D CPU 2.80GHz 1GB RAM spamd options: /usr/bin/spamd -v -u vpopmail -m 10 -x -q -s stderr -r /var/run/spamd/spamd.pid -i 172.16.10.20 -A 172.16.10.0/24 21 | \ Thanks Jose Luis _ Discover the new Windows Vista http://search.msn.com/results.aspx?q=windows+vistamkt=en-USform=QBRE
Re: sought rules
On Wed, 11 Nov 2009 12:09:09 -0500, you wrote: Hi, Yep -- sorry -- I got to reboot the server, but it appears to have not fixed the problem. Right now I'm not likely to be able to perform more investigation for a week or two. :( Sorry about this -- the perils of volunteer infrastructure! Where is it physically located? Isn't there someone in the area that you trust, or could trust, to go and fix it? I guess if there was, you would have done that, but I'm sure you could find some volunteers to put it up in a more centrally-located or managed location for the future, if you'd like. Off-site backup? At the least, I'm sure someone could contribute there. I've got a few servers, and would be happy to provide remote ssh/rsync access to someone, should you like. Truewhat do you need to host this thingif I can help out with space/bandwidth I'd be willing. I've got a couple linux boxes here that I could give you some space on. George -- ===[George R. Kasica]===+1 262 677 0766 President +1 206 374 6482 FAX Netwrx Consulting Inc. Jackson, WI USA http://www.netwrx1.com geor...@netwrx1.com ICQ #12862186
sa-learn runs, but doesn't seem to learn anything
Following some corruption issue in my bayes database I have deleted all the bayes* files and set about relearning. This looks promising: # /kolab/bin/sa-learn --dbpath /kolab/var/amavisd/.spamassassin --ham /kolab/var/imapd/spool/domain/e/example.com/s/shared^learn-ham Learned tokens from 962 message(s) (963 message(s) examined) but immediately afterwards I get this: # /kolab/bin/sa-learn --dbpath /var/kolab/amavisd/.spamassassin --dump magic netset: cannot include 127.0.0.1/32 as it has already been included 0.000 0 3 0 non-token data: bayes db version 0.000 0321 0 non-token data: nspam 0.000 0 1 0 non-token data: nham 0.000 0 13493 0 non-token data: ntokens 0.000 0 1257931035 0 non-token data: oldest atime 0.000 0 1257932330 0 non-token data: newest atime 0.000 0 1257932333 0 non-token data: last journal sync atime 0.000 0 1257931036 0 non-token data: last expiry atime 0.000 0 0 0 non-token data: last expire atime delta 0.000 0 0 0 non-token data: last expire reduction count So what happened to the other 961 pieces of ham I've supposedly learnt from? Or have I misunderstood what --dump magic returns? How do I get up to the required 200 in these circumstances? Ta -- Chris
Re: sa-learn runs, but doesn't seem to learn anything
Hi, # /kolab/bin/sa-learn --dbpath /kolab/var/amavisd/.spamassassin --ham # /kolab/bin/sa-learn --dbpath /var/kolab/amavisd/.spamassassin --dump magic Aren't you looking in the wrong place for the files you've just learned? Regards, Alex
RE: spamd SIGCHLD
Dear Sir, Some additional data. I am running debugging and got these messages: @40004afb1ab22375c434 [12572] info: prefork: child states: III @40004afb1ab22375d7bc [12572] dbg: prefork: child 13018: entering state 3 @40004afb1ab22375e75c [12572] dbg: prefork: new lowest idle kid: 12580 @40004afb1ab223aa9b8c [12572] dbg: prefork: adjust: decreasing, too many idle children (3 2), killed 13018 @40004afb1ab223d2d46c [12572] dbg: prefork: child 13018: just exited @40004afb1ab223d2e7f4 [12572] dbg: prefork: child 13018: entering state 4 @40004afb1ab223d2fb7c [12572] dbg: prefork: new lowest idle kid: 12580 @40004afb1ab223d30b1c [12572] info: spamd: handled cleanup of child pid 13018 due to SIGCHLD @40004afb1ab223d31ea4 [12572] dbg: prefork: new lowest idle kid: 12580 @40004afb1ab223d3322c [12572] dbg: prefork: child closed connection @40004afb1ab223d341cc [12572] info: prefork: child states: II Any comments? Thanks Jose Luis From: jolumape...@hotmail.com To: users@spamassassin.apache.org Subject: spamd SIGCHLD Date: Wed, 11 Nov 2009 12:49:22 -0500 Dear Sirs, In reviewing log of SA I found that there are many messages of this type: [22109] info: spamd: handled cleanup of child pid 22384 due to SIGCHLD What is causing these messages? SA is installed on the server: ML110 G4 Intel(R) Pentium(R) D CPU 2.80GHz 1GB RAM spamd options: /usr/bin/spamd -v -u vpopmail -m 10 -x -q -s stderr -r /var/run/spamd/spamd.pid -i 172.16.10.20 -A 172.16.10.0/24 21 | \ Thanks Jose Luis Discover the new Windows Vista Learn more! _ Invite your mail contacts to join your friends list with Windows Live Spaces. It's easy! http://spaces.live.com/spacesapi.aspx?wx_action=createwx_url=/friends.aspxmkt=en-us
Re: spamd SIGCHLD
Jose Luis Marin Perez wrote: Dear Sir, Some additional data. I am running debugging and got these messages: @40004afb1ab22375c434 [12572] info: prefork: child states: III @40004afb1ab22375d7bc [12572] dbg: prefork: child 13018: entering state 3 @40004afb1ab22375e75c [12572] dbg: prefork: new lowest idle kid: 12580 @40004afb1ab223aa9b8c [12572] dbg: prefork: adjust: decreasing, too many idle children (3 2), killed 13018 @40004afb1ab223d2d46c [12572] dbg: prefork: child 13018: just exited @40004afb1ab223d2e7f4 [12572] dbg: prefork: child 13018: entering state 4 @40004afb1ab223d2fb7c [12572] dbg: prefork: new lowest idle kid: 12580 @40004afb1ab223d30b1c [12572] info: spamd: handled cleanup of child pid 13018 due to SIGCHLD @40004afb1ab223d31ea4 [12572] dbg: prefork: new lowest idle kid: 12580 @40004afb1ab223d3322c [12572] dbg: prefork: child closed connection @40004afb1ab223d341cc [12572] info: prefork: child states: II Any comments? This is just the normal child cleanup. You have set a maximum of 2 idle children, so when there were 3, it killed one. This happens constantly as new children are created and old children are removed. -- Bowie
More of a philosophical question
This isn't so much of a technical question as a policy one. I get a lot of spam which looks like: Return-Path: evan_law...@davidark.net Received: from web.biz.mail.sk1.yahoo.com (web.biz.mail.sk1.yahoo.com [74.6.114.43]) by mail.redfish-solutions.com (8.14.3/8.14.3) with SMTP id nA8KXHbF007914 for philipp_s...@redfish-solutions.com; Sun, 8 Nov 2009 13:33:23 -0700 Received: (qmail 77790 invoked by uid 60001); 8 Nov 2009 20:33:17 - Message-ID: 223519.76757...@web.biz.mail.sk1.yahoo.com X-YMail-OSG: ITTxzA0VM1nOPGrQYX7tAeYtgFhkzLHYo.qDHS6MrLwhvvaHzfjqTAnctUdZXTeTR0y.mWitx7Ou0luQLKnF_GvxGk_gsyrhQiecygtXxr.GNWFkWrkP57qwERbf1Af794h0lXoiyXseb3DTTSqteQCJJ4R8cnSOGFAQavXbUa1QwMHI24mWQEyMF4VkVtpK30oRxlaHVfyGuTXo9pDtTd3mfZScylE6lSYlZjaU8EFS8b8xILkwduj7dx_FW.i4q._BpZayBZY5A5rQb2y03bhl6aTzM9nfbFpY..dlKU7NJVZhLnPeDNRv8z3ZUCBQfsJCq2M5y9Os913jTPXpB1loucgEzfYocoVj6I081B.QNiRFwnUtANDRTHDyGogYeSccqeiSzPxhABGFEtTWY2D08epaNJbwPjU66HDWEjzzNUbzBXyRny0UzKp4HLBUX5tbKNJ8kbHotjEE7xtmcpzoqm.YpfEDl_9omvGsW1e7rThr60pemte_xsNIcarBts2PAXSgzJrZ8zveH287WUmL29olqa3kkksEeVIi4cFsYWNQgSuPqQXV6TLpim1VNZ8c_bzZ5J35fEiL1iJeDWndc.SFtUMwf2leifGkzwDYSrWxOmhux7a_.AC30.BaJQypPZx6YlCXVWlJ3PIIeP0O_.NLtkltfStJB_lS69d6vSh437.X25YQtDTOo3MxMqjNgPznHdmQZ4SFJtF9lfmcksrvoSlXDkiCwGl2qfo.Iuxuh0c.KyVqFlzdy8GgUQJpw9yPwB_aTG.kIs.8gIuUQ3AY3wkI0QEfDOWbqDN2Gr3uLzwvrJLo9UJ4HTDAni7dvTSnM2INbXq7YdCgpfBZ7_AhpLTvvXhY_Yu.aoLjLh1Ill2BwfLJGCZr3bNct0pTw2_o5FXrupA.1Pk3t04NhCaQ0Y0St36th.K7a7smbRBcZusdDeQewQ7l.kEf0i.2YTbqFLUyI4QJwhXs18Kj1g_SQf3shYJxhlHF6FvRqX88D6kLJjPspPvh4eC_XiYxBtaarV0ZXoBBVKUjSj04DP8RSrFZ1DBGT5s2Uz.ZUY78.ilZcXnhFt1Dz4JwjnG0a35n8xWOx6JbWTD5d25EDahowx340TjnAGyjlfxfzgdFPlaQC54EEbDZpvjU8fbah53jJkST2JdvVUEKivsflAEEU7Y5_l8LQzENtjAAYop8dpHadyQn1lAYzRwrpHF7ViBGMwd3gihfVZs_3onzYsoYsvwkNolkWORQcvbGWxFKfuQMJDL9Iaw4QKX0iIGErAWHIkWHnF6B48RFDMrGVyVrwjEhT7X50IKYbwK.EZid2Eme9x2ElFgATPBSmjhom14Ay9DuY77cJuY_MohirOKsbTgl3_nwv704SGy6.Vg.oAaEP29c8cOcMwXpzZDUeO0ZHXcIn9f7ujQlssq9EF4Yn79sQcgkBNeRMFAkLx_cx5Ez5a9rslAITdPSuHfK.X0YH3GAmV.ONy7VE9Uta5Tk4Z3JmjtHJ0AIrCIGy7ZonllVcF1nWkv4BA083jOSbsQqFBXtU5uOnhE- Received: from [41.207.162.4] by web.biz.mail.sk1.yahoo.com via HTTP; Sun, 08 Nov 2009 12:33:16 PST X-Mailer: YahooMailClassic/8.1.6 YahooMailWebService/0.7.347.3 Date: Sun, 8 Nov 2009 12:33:16 -0800 (PST) From: Evan Lawson evan_law...@davidark.net Subject: Hello Dear Friend To: undisclosed recipients: ; MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii And I report this to Yahoo!. They then answer: We understand your frustration in receiving unsolicited email. While we investigate all reported violations against the Yahoo! Terms of Service (TOS), in this particular case the message you received was not sent by a Yahoo! Mail user. Yahoo! has no control over activities outside its service, and therefore we cannot take action. You may try contacting the sender's email provider, by identifying the sender's domain and contacting the administrator of that domain. The sender's provider should be in a better position to take appropriate action against the sender's account. which sounds to me like they are effectively admitting that they run an Open Relay, which is against US law, as I remember. It's also factually incorrect. The message didn't originate outside of their service, since the line Received: ... via HTTP is basically meaningless. HTTP isn't a mail protocol. This tells me that the message originated via a Webmail submission on their website, which means that someone had to log in with credentials... which means that (a) they do in fact have control over whether that user's credentials get yanked or not, and (b) the message didn't originate outside of their service. This has been going on for 4 years, and I'm tired of their shirking their responsibility. We don't have a lot of users, so I'd be happy to blacklist Yahoo! until they clean up their act... unfortunately a couple of correspondents to this domain are Yahoo! users. So what is the best course of action to take against Yahoo!? I filed an IC3 complaint against them for passing phishing and operating an Open Relay, but nothing came of it. How has everyone else made their peace with this? Thanks, -Philip
Re: More of a philosophical question
On Wed, 11 Nov 2009, Philip A. Prindeville wrote: This isn't so much of a technical question as a policy one. I get a lot of spam which looks like: Return-Path: evan_law...@davidark.net Received: from web.biz.mail.sk1.yahoo.com (web.biz.mail.sk1.yahoo.com [74.6.114.43]) by mail.redfish-solutions.com (8.14.3/8.14.3) with SMTP id nA8KXHbF007914 for philipp_s...@redfish-solutions.com; Sun, 8 Nov 2009 13:33:23 -0700 Received: (qmail 77790 invoked by uid 60001); 8 Nov 2009 20:33:17 - Message-ID: 223519.76757...@web.biz.mail.sk1.yahoo.com X-YMail-OSG: ITTxzA0VM1nOPGrQYX7tAeYtgFhkzLHYo.qDHS6MrLwhvvaHzfjqTAnctUdZXTeTR0y.mWitx7Ou0luQLKnF_GvxGk_gsyrhQiecygtXxr.GNWFkWrkP57qwERbf1Af794h0lXoiyXseb3DTTSqteQCJJ4R8cnSOGFAQavXbUa1QwMHI24mWQEyMF4VkVtpK30oRxlaHVfyGuTXo9pDtTd3mfZScylE6lSYlZjaU8EFS8b8xILkwduj7dx_FW.i4q._BpZayBZY5A5rQb2y03bhl6aTzM9nfbFpY..dlKU7NJVZhLnPeDNRv8z3ZUCBQfsJCq2M5y9Os913jTPXpB1loucgEzfYocoVj6I081B.QNiRFwnUtANDRTHDyGogYeSccqeiSzPxhABGFEtTWY2D08epaNJbwPjU66HDWEjzzNUbzBXyRny0UzKp4HLBUX5tbKNJ8kbHotjEE7xtmcpzoqm.YpfEDl_9omvGsW1e7rThr60pemte_xsNIcarBts2PAXSgzJrZ8zveH287WUmL29olqa3kkksEeVIi4cFsYWNQgSuPqQXV6TLpim1VNZ8c_bzZ5J35fEiL1iJeDWndc.SFtUMwf2leifGkzwDYSrWxOmhux7a_.AC30.BaJQypPZx6YlCXVWlJ3PIIeP0O_.NLtkltfStJB_lS69d6vSh437.X25YQtDTOo3MxMqjNgPznHdmQZ4SFJtF9lfmcksrvoSlXDkiCwGl2qfo.Iuxuh0c.KyVqFlzdy8GgUQJpw9yPwB_aTG.kIs.8gIuUQ3AY3wkI0QEfDOWbqDN2Gr3uLzwvrJLo9UJ4HTDAni7dvTSnM2INbXq7YdCgpfBZ7_AhpLTvvXhY_Yu.aoLjLh1Ill2BwfLJGCZr3bNct0pTw2_o5FXrupA.1Pk3t04NhCaQ0Y0St36th.K7a7smbRBcZusdDeQewQ7l.kEf0i.2YTbqFLUyI4! QJwhXs18Kj1g_SQf3shYJxhlHF6FvRqX88D6kLJjPspPvh4eC_XiYxBtaarV0ZXoBBVKUjSj04DP8RSrFZ1DBGT5s2Uz.ZUY78.ilZcXnhFt1Dz4JwjnG0a35n8xWOx6JbWTD5d25EDahowx340TjnAGyjlfxfzgdFPlaQC54EEbDZpvjU8fbah53jJkST2JdvVUEKivsflAEEU7Y5_l8LQzENtjAAYop8dpHadyQn1lAYzRwrpHF7ViBGMwd3gihfVZs_3onzYsoYsvwkNolkWORQcvbGWxFKfuQMJDL9Iaw4QKX0iIGErAWHIkWHnF6B48RFDMrGVyVrwjEhT7X50IKYbwK.EZid2Eme9x2ElFgATPBSmjhom14Ay9DuY77cJuY_MohirOKsbTgl3_nwv704SGy6.Vg.oAaEP29c8cOcMwXpzZDUeO0ZHXcIn9f7ujQlssq9EF4Yn79sQcgkBNeRMFAkLx_cx5Ez5a9rslAITdPSuHfK.X0YH3GAmV.ONy7VE9Uta5Tk4Z3JmjtHJ0AIrCIGy7ZonllVcF1nWkv4BA083jOSbsQqFBXtU5uOnhE- Received: from [41.207.162.4] by web.biz.mail.sk1.yahoo.com via HTTP; Sun, 08 Nov 2009 12:33:16 PST X-Mailer: YahooMailClassic/8.1.6 YahooMailWebService/0.7.347.3 Date: Sun, 8 Nov 2009 12:33:16 -0800 (PST) From: Evan Lawson evan_law...@davidark.net Subject: Hello Dear Friend To: undisclosed recipients: ; MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii And I report this to Yahoo!. They then answer: ...basically we don't care. It's also factually incorrect. The message didn't originate outside of their service, since the line Received: ... via HTTP is basically meaningless. HTTP isn't a mail protocol. This tells me that the message originated via a Webmail submission on their website, which means that someone had to log in with credentials... which means that (a) they do in fact have control over whether that user's credentials get yanked or not, and (b) the message didn't originate outside of their service. And they ignore you when you point this out to them? We don't have a lot of users, so I'd be happy to blacklist Yahoo! until they clean up their act... unfortunately a couple of correspondents to this domain are Yahoo! users. So what is the best course of action to take against Yahoo!? Nuke them from orbit? I've given up on reporting abuse to Yahoo!, it's too much work for too little result. You could MTA reject Yahoo! webmail that has To: undisclosed recipients: That probably wouldn't impact your users _too_ much. -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- The yardstick you should use when considering whether to support a given piece of legislation is what if my worst enemy is chosen to administer this law? --- Today: Veterans Day
Re: [sa] More of a philosophical question
On Wed, 11 Nov 2009, Philip A. Prindeville wrote: Return-Path: evan_law...@davidark.net Received: from web.biz.mail.sk1.yahoo.com The 'not from our server' response makes me think that Yahell needs to update their e-mail response robot. A while ago Yahell started partnering with companies like Rogers telecom here in Ontario, so that they were the e-mail 'provider' for any of Rogers DSL customers, many of whom have addresses at domains *other* than Yahell. I would suspect that they adjusted their mail interface to allow custom envelope senders from these sources, but did not update theior robot to handle the case where Return-Path is not a Yahoo address Either that or the server name is 'new' and not handled by the robot. Either way, I would find a way to MUNG the contents of the e-mail sufficiently that Yahoo can no longer 'parse' the headers and 'auto respond'. Then you might get a human to look at it MAYBE. :) - Charles
Re: sought rules
Hi guys -- the problem is that SOUGHT uses gigabytes of private mail, so running that on a shared host is not viable. Currently we don't have anything like that I can use :( On Wednesday, November 11, 2009, George R. Kasica geor...@netwrx1.com wrote: On Wed, 11 Nov 2009 12:09:09 -0500, you wrote: Hi, Yep -- sorry -- I got to reboot the server, but it appears to have not fixed the problem. Right now I'm not likely to be able to perform more investigation for a week or two. :( Sorry about this -- the perils of volunteer infrastructure! Where is it physically located? Isn't there someone in the area that you trust, or could trust, to go and fix it? I guess if there was, you would have done that, but I'm sure you could find some volunteers to put it up in a more centrally-located or managed location for the future, if you'd like. Off-site backup? At the least, I'm sure someone could contribute there. I've got a few servers, and would be happy to provide remote ssh/rsync access to someone, should you like. Truewhat do you need to host this thingif I can help out with space/bandwidth I'd be willing. I've got a couple linux boxes here that I could give you some space on. George -- ===[George R. Kasica]=== +1 262 677 0766 President +1 206 374 6482 FAX Netwrx Consulting Inc. Jackson, WI USA http://www.netwrx1.com geor...@netwrx1.com ICQ #12862186 -- --j.
Re: More of a philosophical question
On Wednesday November 11 2009 22:33:12 Philip A. Prindeville wrote: This isn't so much of a technical question as a policy one. I get a lot of spam which looks like: Return-Path: evan_law...@davidark.net Received: from web.biz.mail.sk1.yahoo.com (web.biz.mail.sk1.yahoo.com [74.6.114.43]) $ whois 74.6.114.43 OrgName:Inktomi Corporation OrgID: INKT Address:701 First Ave City: Sunnyvale StateProv: CA PostalCode: 94089 Country:US NetRange: 74.6.0.0 - 74.6.255.255 CIDR: 74.6.0.0/16 NetName:INKTOMI-BLK-6 The IP address is not registered as belonging to Yahoo. The message is also missing their DKIM and DK signatures. John Hardin writes: I've given up on reporting abuse to Yahoo!, it's too much work for too little result. I'm regularly reporting fraud mail (don't care for spam, just fraud) confirmed to be from Yahoo! by their valid DKIM signature and from their IP address space, and practically all my reports receive a positive acknowledge - with rare exceptions, possibly due to handling by different/new(?) helpdesk operators. Mark
Re: [Fwd: Re: Getting off the Cloudmark formerly spamnet blacklist]
Giampaolo Tomassoni wrote: Michael Scheidell wrote: ...omissis... If our clients were DELIBERATELY spamming, say they thought they were going to send out a marketing mail or some such, then you would be correct. But they were not. They were simply using the largest software company on Earth's products - Microsoft - like everyone else in the world who has those products do. I have a Mac G4 running OSX sitting on my desk here, next to my Windows box. I also have a FreeBSD system running FreeBSD6 and firefox 3 in the other room. On either of those systems I could have done EXACTLY THE SAME THING that the user at this client who got cracked into did - I could have opened the same e-mails, gone to the same websites, etc. - and I WOULDN'T have been cracked. So, explain again why this was THEIR fault? Don't you think that the botnet writer has just a tiny tiny bit of blame here? What about the software developer being paid more money than God sitting up in a nice comfortable office in Redmond who wrote that piece of shit that our client was using, and included dozens of security holes that are exploited by botnet writers, don't you think that HE has just a tiny tiny bit of culpability? Every other current production operating system on the face of the earth doesn't seem to be regularly hijacked by spammers. So, why are you going to give Microsoft a pass? Why exactly is it that when a user of Microsoft Windows doesn't apply patches that it's their fault when their system is cracked? What exactly do you think a patch IS? If their system had been written properly in the beginning it wouldn't need to be patched. If they weren't logged in as administrator - which is necessary for Windows desktop systems since most Windows software developers are shit-ass lazy bastards who ignore the Microsoft directives about writing usermode programs so they don't have to run as the root, I mean administrative, user to get any functionality out of them - then even if they had been cracked it would only be their profile trashed, and the bot wouldn't go any further. If you write software for Apple and you do it in such a way that your MacOS X software requires root access to run, then if your software gets ANY amount of visibility, you will get a call from Apple politely trying to educate you, and if you ignore this then they get nasty, and if you ignore that, then they publically speak against your software - and then all the Apple users will stop buying your shit, and you will be out of business. What, you think Microsoft has LESS pull than Apple in this area, and couldn't do the same thing? In the last 3-4 years there's been less than 5 root-exploitable holes in Apache - which is arguably the most popular UNIX program ever, and is installed on the most Unix systems in the world - yet Apache isn't even installed on all of them. I can't remember when the last root-exploit came out for a program that is enabled on FreeBSD out of the box - it might have been the Telnet bug so many years ago. Yet, every week there's DOZENS of security patches that MS releases for XP and Vista and soon, Windows 7. So, please save your moralizing. Microsoft is the richest software company in the world, they get PAID REAL MONEY by everyone that uses their crap - yet they can't produce a secure OS to save their lives. By contrast, Debian, Ubuntu, FreeBSD, OpenBSD - all UNPAID, and all ROUTINELY release os's that are not attackable by botnets. And Apple used FreeBSD as it's base for Darwin - and they ALSO have no problems in this regard either. Please, name 5 viruses that routinely attack MacOSX. Our clients retain outside expertise because THEY KNOW THEY ARE BONEHEADS when it comes to software. And, your expecting boneheads to actually see through the ten thousand tons of marketing BULLCRAP that Microsoft's bowl movements dump on the business world every year, claiming their stuff is so great, so secure, so all-fired-wonderful? You say the world really needs to protect itself from botnets? Jesus, I think the world REALLY needs to protect itself from MICROSOFT. They OBVIOUSLY have absolutely NO SENSE WHATSOEVER of responsibility for the piece-o-shit, holey as swiss cheese, crapware that they stick up the collective ass of the world's businesses every year. I can almost excuse the botnet writers - they at least are amoral sociopaths and are doing EXACTLY as I would expect criminals to behave. But, Microsoft couldn't be more two-faced if every one of their employees had eyes, ears, nose and a mouth on the back of their heads. They EVEN HAD a secure security model - remember NT 3.51? You know, the ONLY version of Windows where ring 0 was separated from usermode programs? And they chucked that out with NT4 when they pushed the video system into ring 0 so that crap-ass games could run faster. Who cares that it allowed malware to take over the system. Michael, get some perspective,
Re: sought rules
On 11-Nov-2009, at 11:37, George R. Kasica wrote: Truewhat do you need to host this thingif I can help out with space/bandwidth I'd be willing. I've got a couple linux boxes here that I could give you some space on. I've got a pretty solid business-cable connection at home and my server is up pretty much 24/7/365, depending on bandwidth I could donate some. (I've got about 3Mb up) -- But you read a lot of books, I'm thinking. Hard to have faith, ain't it, when you've read too many books?
Re: [Fwd: Re: Getting off the Cloudmark formerly spamnet blacklist]
On 11-Nov-2009, at 18:34, Ted Mittelstaedt wrote: I will point out that MacOS 7, os* os9 were HIGHLY virus-prone, yet there were far fewer of them than OSX today. Er… that is simply not true. Not in anyway. As I recall, there were a total of 31 viruses for System 7 and one CD-ROM worm for System 8/9 (Autostart Worm). -- Strange things are afoot at the Circle K
Re: More of a philosophical question
On 11-Nov-2009, at 14:33, Philip A. Prindeville wrote: And I report this to Yahoo! Yahoo is more and more like hotmail. I simply bin everything, mark them up, and recommend that people stop using them. They are extremely difficult to work with, seem to be staffed by total morons (as in your case where they can't even tell that the spam originated from their servers), and don't give a crap about their users spamming through them. -- 'I knew the two of you would get along like a house on fire.' Screams, flames, people running for safety... --Pyramids
Re: More of a philosophical question
On Thu, 12 Nov 2009 01:45:00 +0100 Mark Martinec mark.martinec...@ijs.si wrote: The IP address is not registered as belonging to Yahoo. The message is also missing their DKIM and DK signatures. OTOH it does have full-circle dns that ends in yahoo.com.
Re: More of a philosophical question
On 11-Nov-2009, at 17:45, Mark Martinec wrote: The IP address is not registered as belonging to Yahoo. The message is also missing their DKIM and DK signatures. Yes it is. Wikipedia: After the bursting of the dot-com bubble, Inktomi was acquired byYahoo! -- i wasn't born a programmer. i became one because i was impatient. - Dave Winer
Re: More of a philosophical question
On Thu, 12 Nov 2009 02:54:10 + RW rwmailli...@googlemail.com wrote: On Thu, 12 Nov 2009 01:45:00 +0100 Mark Martinec mark.martinec...@ijs.si wrote: The IP address is not registered as belonging to Yahoo. The message is also missing their DKIM and DK signatures. OTOH it does have full-circle dns that ends in yahoo.com. I put Inktomi Corporation into Google, and it appears that they are a software development company that's owned by Yahoo.