date:20091111

sought rules

2009-11-11 Thread john ffitch

Have I missed something?  I used to pull the sought rules daily, but
nothing seems to have changed since 2 Nov.  Is that expected behaviour?
==John ffitch

RE: [Fwd: Re: Getting off the Cloudmark formerly spamnet blacklist]

2009-11-11 Thread Giampaolo Tomassoni

 Michael Scheidell wrote:
 
 ...omissis...
 
 If our clients were DELIBERATELY spamming, say they thought they
 were going to send out a marketing mail or some such, then you would
 be correct.
 
 But they were not.  They were simply using the largest software
 company on Earth's products - Microsoft - like everyone else
 in the world who has those products do.
 
 I have a Mac G4 running OSX  sitting on my desk here, next to my
 Windows box.  I also have a FreeBSD system running FreeBSD6 and
 firefox 3 in the other room.
 
 On either of those systems I could have done EXACTLY THE SAME THING
 that the user at this client who got cracked into did - I could
 have opened the same e-mails, gone to the same websites, etc. - and
 I WOULDN'T have been cracked.
 
 So, explain again why this was THEIR fault?  Don't you think that
 the botnet writer has just a tiny tiny bit of blame here?  What about
 the software developer being paid more money than God sitting up in
 a nice comfortable office in Redmond who wrote that piece of shit
 that our client was using, and included dozens of security holes
 that are exploited by botnet writers, don't you think that HE
 has just a tiny tiny bit of culpability?
 
 Every other current production operating system on the face of the
 earth
 doesn't seem to be regularly hijacked by spammers.  So, why are you
 going to give Microsoft a pass?
 
 Why exactly is it that when a user of Microsoft Windows doesn't
 apply patches that it's their fault when their system is cracked?
 What exactly do you think a patch IS?  If their system had been written
 properly in the beginning it wouldn't need to be patched.  If they
 weren't logged in as administrator - which is necessary for Windows
 desktop systems since most Windows software developers are shit-ass
 lazy
 bastards who ignore the Microsoft directives about writing usermode
 programs so they don't have to run as the root, I mean administrative,
 user to get any functionality out of them - then even if they had been
 cracked it would only be their profile trashed, and the bot wouldn't go
 any further.
 
 If you write software for Apple and you do it in such a way that
 your MacOS X software requires root access to run, then if your
 software gets ANY amount of visibility, you will get a call from
 Apple politely trying to educate you, and if you ignore this then
 they get nasty, and if you ignore that, then they publically speak
 against your software - and then all the Apple users will stop
 buying your shit, and you will be out of business.
 
 What, you think Microsoft has LESS pull than Apple in this area,
 and couldn't do the same thing?
 
 In the last 3-4 years there's been less than 5 root-exploitable
 holes in Apache - which is arguably the most popular UNIX program
 ever, and is installed on the most Unix systems in the world -
 yet Apache isn't even installed on all of them.  I can't remember
 when the last root-exploit came out for a program that is enabled
 on FreeBSD out of the box - it might have been the Telnet
 bug so many years ago.
 
 Yet, every week there's DOZENS of security patches that MS releases
 for XP and Vista and soon, Windows 7.
 
 So, please save your moralizing.  Microsoft is the richest software
 company in the world, they get PAID REAL MONEY by everyone that uses
 their crap - yet they can't produce a secure OS to save their lives.
 By contrast, Debian, Ubuntu, FreeBSD, OpenBSD - all UNPAID, and all
 ROUTINELY release os's that are not attackable by botnets.  And Apple
 used FreeBSD as it's base for Darwin - and they ALSO have no problems
 in this regard either.  Please, name 5 viruses that routinely attack
 MacOSX.
 
 Our clients retain outside expertise because THEY KNOW THEY ARE
 BONEHEADS when it comes to software.  And, your expecting boneheads
 to actually see through the ten thousand tons of marketing BULLCRAP
 that Microsoft's bowl movements dump on the business world every year,
 claiming their stuff is so great, so secure, so all-fired-wonderful?
 
 You say the world really needs to protect itself from botnets?
 Jesus, I think the world REALLY needs to protect itself from
 MICROSOFT.  They OBVIOUSLY have absolutely NO SENSE WHATSOEVER
 of responsibility for the piece-o-shit, holey as swiss cheese,
 crapware that they stick up the collective ass of the world's
 businesses every year.
 
 I can almost excuse the botnet writers - they at least are
 amoral sociopaths and are doing EXACTLY as I would expect criminals
 to behave.  But, Microsoft couldn't be more two-faced if every
 one of their employees had eyes, ears, nose and a mouth on the
 back of their heads.  They EVEN HAD a secure security model -
 remember NT 3.51?  You know, the ONLY version of Windows where
 ring 0 was separated from usermode programs?  And they chucked
 that out with NT4 when they pushed the video system into ring
 0 so that crap-ass games could run faster.  Who cares that
 it allowed malware to take over the system.

Re: Regex Question

2009-11-11 Thread Ralf Hildebrandt

* rahlqu...@gmail.com rahlqu...@gmail.com:

 As said before blocking at the MTA would be less resource intensive but I
 want the whole message to feed bayes.

But you already KNOW you don't want that stuff :) No need to poison
your bayesdb with that...

 As for Ralf and his lightly gruff response, its to be expected when
 asking for help on the net and I grew my thick skin 8 years ago asking
 questions on setting up SMTP Auth on the Sendmail list. Compared to
 some of the folks there Ralf nearly blew me a kiss.

I was not trying to be rude. I just want to keep things simple.

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: Development dead

2009-11-11 Thread Anatoly Pugachev

On 04.11.2009 / 09:20:16 -0500, Bowie Bailey wrote:
 polloxx wrote:
  Hi,
 
  Is the spamassassin development dead?
  On the website there's: 2008-06-12: SpamAssassin 3.2.5 has been released.

 
 Not quite.  If you look at svn, you'll see this:
 
 spamassassin_20091103151200.tar.gz03-Nov-2009 15:122.1M
 
 Doesn't look dead to me!  :)

Hello!
Can you please post a full URL to this archive? 
Since http://svn.apache.org/snapshots/spamassassin/ doesn't have it.

possible Kerio msg-id bork

2009-11-11 Thread Yet Another Ninja

Anybody here using some flavour of Kerio Mail Server... pls get back to 
me, offlist!


thanks

AXB

Re: Development dead

2009-11-11 Thread Matt Kettler

Anatoly Pugachev wrote:
 On 04.11.2009 / 09:20:16 -0500, Bowie Bailey wrote:
   
 polloxx wrote:
 
 Hi,

 Is the spamassassin development dead?
 On the website there's: 2008-06-12: SpamAssassin 3.2.5 has been released.
   
   
 Not quite.  If you look at svn, you'll see this:

 spamassassin_20091103151200.tar.gz03-Nov-2009 15:122.1M

 Doesn't look dead to me!  :)
 

 Hello!
 Can you please post a full URL to this archive? 
 Since http://svn.apache.org/snapshots/spamassassin/ doesn't have it.


   
The snapshots directory is automatically built and old versions are
purged. The November 3rd image is gone. Now we've got ones from the 10th
and 11th. By the time you look at it again, these might be gone and
newer ones may have replaced them.

[   ] spamassassin_20091110151200.tar.gz 10-Nov-2009 15:12  2.1M 
[   ] spamassassin_20091110211200.tar.gz 10-Nov-2009 21:12  2.1M 
[   ] spamassassin_2009031200.tar.gz 11-Nov-2009 03:12  2.1M 
[   ] spamassassin_2009091200.tar.gz 11-Nov-2009 09:12  2.1M 

However, if you're really just looking to gauge development activity, it
would be better to look at the list archives of all the SVN commits.

http://mail-archives.apache.org/mod_mbox/spamassassin-commits/

or, for the current month of November 2009, sorted by date:

http://mail-archives.apache.org/mod_mbox/spamassassin-commits/200911.mbox/date

Re: sought rules

2009-11-11 Thread Bowie Bailey

john ffitch wrote:
 Have I missed something?  I used to pull the sought rules daily, but
 nothing seems to have changed since 2 Nov.  Is that expected behaviour?
 ==John ffitch
   

No, that's not expected behavior...

On Thu, 5 Nov 2009, Justin Mason wrote:
 Right now, SOUGHT appears to be broken.  I need to get to where the
server is currently and fix it -- I don't have remote login to it at the
mo :(

And that's about all we know at the moment.

-- 
Bowie

RE: JMF_W URIBL_BLACK

2009-11-11 Thread Chris Santerre


 This just becomes increasingly important when management drops an
 email in the Put Spam Here folder for training that clearly isn't
 spam, but something they've subscribed to, like a newsletter. For the
 email that even I question sometimes, I'd like to be able to give them
 a definitive answer as to why it is or isn't spam.

This week, the president of the company told me to Block all emails with
deserve in it!

*sigh*

I had to school him on the fine art of antispam techniques with examples
like:

We deserve better servers..
Our health care coverage deserves to be fired...
The IT guys deserve a raise...

:)

--Chris

Re: JMF_W URIBL_BLACK

2009-11-11 Thread Matus UHLAR - fantomas

  This just becomes increasingly important when management drops an
  email in the Put Spam Here folder for training that clearly isn't
  spam, but something they've subscribed to, like a newsletter. For the
  email that even I question sometimes, I'd like to be able to give them
  a definitive answer as to why it is or isn't spam.

On 11.11.09 09:34, Chris Santerre wrote:
 This week, the president of the company told me to Block all emails with
 deserve in it!
 
 *sigh*
 
 I had to school him on the fine art of antispam techniques with examples
 like:
 
 We deserve better servers..
 Our health care coverage deserves to be fired...
 The IT guys deserve a raise...

I really wonder if THESE did convince him of NOT blocking such e-mail ;-)

-- 
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Spam is for losers who can't get business any other way.

Re: Hostkarma: to be or not to be in SA defaults

2009-11-11 Thread Michael Monnerie

On Donnerstag 01 Oktober 2009 Marc Perkel wrote:
 I guess that if HOSTKARMA were included in the default build then I
 will need more mirrors to handle the load.

If that is wanted, I could talk to ISPs for hosting such DNS here in 
Austria. After all, we are all getting advantages from this, and as long 
as it's a free service, I can offer free mirrors.

mfg zmi
-- 
// Michael Monnerie, Ing.BSc-  http://it-management.at
// Tel: 0660 / 415 65 31  .network.your.ideas.
// PGP Key: curl -s http://zmi.at/zmi.asc | gpg --import
// Fingerprint: AC19 F9D5 36ED CD8A EF38  500E CE14 91F7 1C12 09B4
// Keyserver: wwwkeys.eu.pgp.net  Key-ID: 1C1209B4

Re: false positive on hostkarma blacklist

2009-11-11 Thread Michael Monnerie

On Mittwoch 21 Oktober 2009 Marc Perkel wrote:
  Michael Monnerie wrote:
 http://ipadmin.junkemailfilter.com/remove.php?ip=62.40.128.130
 Just received this FP from a customer. That IP is indeed an MX for
 kabsi.at, a big cable provider in Austria. Please put it on YELLOW.

Please, Marc, you fixed above IP, but now this one is on the blacklist:
62.40.128.131

It's the following IP, and the reverse shows
62.40.128.130  mx02.kabsi.at
62.40.128.131  mx04.kabsi.at

When someone reports an ISP, and they name their MX in a very readable 
way, you should automatically check for mx01 and mx03, mx05, ... 
automatically:
195.202.128.130  mx03.kabsi.at
195.202.128.131  mx05.kabsi.at

Please put all these on YELLOW. 

mfg zmi
-- 
// Michael Monnerie, Ing.BSc-  http://it-management.at
// Tel: 0660 / 415 65 31  .network.your.ideas.
// PGP Key: curl -s http://zmi.at/zmi.asc | gpg --import
// Fingerprint: AC19 F9D5 36ED CD8A EF38  500E CE14 91F7 1C12 09B4
// Keyserver: wwwkeys.eu.pgp.net  Key-ID: 1C1209B4

Re: false positive on hostkarma blacklist

2009-11-11 Thread Michael Monnerie

Another FP, reported some Monday from a customer:
212.62.57.38 == mtaout3.isp.ptt.rs

Which is a clear sign for an ISP. So please, again, check also their 
mtaout1 ... mtaout9 or whatever and include all these in YELLOW.

Also, I've offered you a list of ISPs MX from Austria. We have an ISP 
Associtation ( www.ispa.at ), and they keep that list actual. Do you 
want that for your YELLOW list? Maybe you can subscribe for receiving 
updates automatically, too...

mfg zmi
-- 
// Michael Monnerie, Ing.BSc-  http://it-management.at
// Tel: 0660 / 415 65 31  .network.your.ideas.
// PGP Key: curl -s http://zmi.at/zmi.asc | gpg --import
// Fingerprint: AC19 F9D5 36ED CD8A EF38  500E CE14 91F7 1C12 09B4
// Keyserver: wwwkeys.eu.pgp.net  Key-ID: 1C1209B4

Re: sought rules

2009-11-11 Thread Justin Mason

On Wed, Nov 11, 2009 at 14:04, Bowie Bailey bowie_bai...@buc.com wrote:
 john ffitch wrote:
 Have I missed something?  I used to pull the sought rules daily, but
 nothing seems to have changed since 2 Nov.  Is that expected behaviour?
 ==John ffitch


 No, that's not expected behavior...

 On Thu, 5 Nov 2009, Justin Mason wrote:
 Right now, SOUGHT appears to be broken.  I need to get to where the
 server is currently and fix it -- I don't have remote login to it at the
 mo :(

 And that's about all we know at the moment.

Yep -- sorry -- I got to reboot the server, but it appears to have not
fixed the problem.
Right now I'm not likely to be able to perform more investigation for a week
or two. :(

Sorry about this -- the perils of volunteer infrastructure!

-- 
--j.

Re: sought rules

2009-11-11 Thread Bowie Bailey

Justin Mason wrote:
 Yep -- sorry -- I got to reboot the server, but it appears to have not
 fixed the problem.
 Right now I'm not likely to be able to perform more investigation for a week
 or two. :(

 Sorry about this -- the perils of volunteer infrastructure!

No problem.  I've set scores for all the JM_SOUGHT* rules to zero until
I start seeing updates again.

-- 
Bowie

Re: sought rules

2009-11-11 Thread Alex

Hi,

 Yep -- sorry -- I got to reboot the server, but it appears to have not
 fixed the problem.
 Right now I'm not likely to be able to perform more investigation for a week
 or two. :(

 Sorry about this -- the perils of volunteer infrastructure!

Where is it physically located? Isn't there someone in the area that
you trust, or could trust, to go and fix it? I guess if there was, you
would have done that, but I'm sure you could find some volunteers to
put it up in a more centrally-located or managed location for the
future, if you'd like.

Off-site backup? At the least, I'm sure someone could contribute
there. I've got a few servers, and would be happy to provide remote
ssh/rsync access to someone, should you like.

Best regards,
Alex

spamd SIGCHLD

2009-11-11 Thread Jose Luis Marin Perez


Dear Sirs,

In reviewing log of SA I found that there are many messages of this type:

[22109] info: spamd: handled cleanup of child pid 22384 due to SIGCHLD

What is causing these messages?

SA is installed on the server:

ML110 G4
Intel(R) Pentium(R) D CPU 2.80GHz
1GB RAM

spamd options:

/usr/bin/spamd -v -u vpopmail -m 10 -x -q -s stderr -r /var/run/spamd/spamd.pid 
-i 172.16.10.20  -A 172.16.10.0/24 21 | \

Thanks

Jose Luis
  
_
Discover the new Windows Vista
http://search.msn.com/results.aspx?q=windows+vistamkt=en-USform=QBRE

Re: sought rules

2009-11-11 Thread George R . Kasica

On Wed, 11 Nov 2009 12:09:09 -0500, you wrote:

Hi,

 Yep -- sorry -- I got to reboot the server, but it appears to have not
 fixed the problem.
 Right now I'm not likely to be able to perform more investigation for a week
 or two. :(

 Sorry about this -- the perils of volunteer infrastructure!

Where is it physically located? Isn't there someone in the area that
you trust, or could trust, to go and fix it? I guess if there was, you
would have done that, but I'm sure you could find some volunteers to
put it up in a more centrally-located or managed location for the
future, if you'd like.

Off-site backup? At the least, I'm sure someone could contribute
there. I've got a few servers, and would be happy to provide remote
ssh/rsync access to someone, should you like.

Truewhat do you need to host this thingif I can help out with
space/bandwidth I'd be willing. I've got a couple linux boxes here
that I could give you some space on.

George
-- 
===[George R. Kasica]===+1 262 677 0766
President   +1 206 374 6482 FAX 
Netwrx Consulting Inc.  Jackson, WI USA 
http://www.netwrx1.com
geor...@netwrx1.com
ICQ #12862186

sa-learn runs, but doesn't seem to learn anything

2009-11-11 Thread Chris Hastie

Following some corruption issue in my bayes database I have deleted all
the bayes* files and set about relearning.

This looks promising:

# /kolab/bin/sa-learn --dbpath /kolab/var/amavisd/.spamassassin  --ham
/kolab/var/imapd/spool/domain/e/example.com/s/shared^learn-ham
Learned tokens from 962 message(s) (963 message(s) examined)

but immediately afterwards I get this:

# /kolab/bin/sa-learn --dbpath /var/kolab/amavisd/.spamassassin --dump magic
netset: cannot include 127.0.0.1/32 as it has already been included
0.000  0  3  0  non-token data: bayes db version
0.000  0321  0  non-token data: nspam
0.000  0  1  0  non-token data: nham
0.000  0  13493  0  non-token data: ntokens
0.000  0 1257931035  0  non-token data: oldest atime
0.000  0 1257932330  0  non-token data: newest atime
0.000  0 1257932333  0  non-token data: last journal
sync atime
0.000  0 1257931036  0  non-token data: last expiry atime
0.000  0  0  0  non-token data: last expire
atime delta
0.000  0  0  0  non-token data: last expire
reduction count

So what happened to the other 961 pieces of ham I've supposedly learnt
from? Or have I misunderstood what --dump magic returns? How do I get up
to the required 200 in these circumstances?

Ta

-- 
Chris

Re: sa-learn runs, but doesn't seem to learn anything

2009-11-11 Thread Alex

Hi,

 # /kolab/bin/sa-learn --dbpath /kolab/var/amavisd/.spamassassin  --ham

 # /kolab/bin/sa-learn --dbpath /var/kolab/amavisd/.spamassassin --dump magic

Aren't you looking in the wrong place for the files you've just learned?

Regards,
Alex

RE: spamd SIGCHLD

2009-11-11 Thread Jose Luis Marin Perez


Dear Sir,

Some additional data. 

 I am running debugging and got these messages:

@40004afb1ab22375c434 [12572] info: prefork: child states: III
@40004afb1ab22375d7bc [12572] dbg: prefork: child 13018: entering state 3
@40004afb1ab22375e75c [12572] dbg: prefork: new lowest idle kid: 12580
@40004afb1ab223aa9b8c [12572] dbg: prefork: adjust: decreasing, too many 
idle children (3  2), killed 13018
@40004afb1ab223d2d46c [12572] dbg: prefork: child 13018: just exited
@40004afb1ab223d2e7f4 [12572] dbg: prefork: child 13018: entering state 4
@40004afb1ab223d2fb7c [12572] dbg: prefork: new lowest idle kid: 12580
@40004afb1ab223d30b1c [12572] info: spamd: handled cleanup of child pid 
13018 due to SIGCHLD
@40004afb1ab223d31ea4 [12572] dbg: prefork: new lowest idle kid: 12580
@40004afb1ab223d3322c [12572] dbg: prefork: child closed connection
@40004afb1ab223d341cc [12572] info: prefork: child states: II

Any comments?

Thanks

Jose Luis

From: jolumape...@hotmail.com
To: users@spamassassin.apache.org
Subject: spamd SIGCHLD
Date: Wed, 11 Nov 2009 12:49:22 -0500








Dear Sirs,

In reviewing log of SA I found that there are many messages of this type:

[22109] info: spamd: handled cleanup of child pid 22384 due to SIGCHLD

What is causing these messages?

SA is installed on the server:

ML110 G4
Intel(R) Pentium(R) D CPU 2.80GHz
1GB RAM

spamd options:

/usr/bin/spamd -v -u vpopmail -m 10 -x -q -s stderr -r /var/run/spamd/spamd.pid 
-i 172.16.10.20  -A 172.16.10.0/24 21 | \

Thanks

Jose Luis
  
Discover the new Windows Vista Learn more!  
  
_
Invite your mail contacts to join your friends list with Windows Live Spaces. 
It's easy!
http://spaces.live.com/spacesapi.aspx?wx_action=createwx_url=/friends.aspxmkt=en-us

Re: spamd SIGCHLD

2009-11-11 Thread Bowie Bailey

Jose Luis Marin Perez wrote:
 Dear Sir,

 Some additional data.

 I am running debugging and got these messages:

 @40004afb1ab22375c434 [12572] info: prefork: child states: III
 @40004afb1ab22375d7bc [12572] dbg: prefork: child 13018: entering
 state 3
 @40004afb1ab22375e75c [12572] dbg: prefork: new lowest idle kid: 12580
 @40004afb1ab223aa9b8c [12572] dbg: prefork: adjust: decreasing,
 too many idle children (3  2), killed 13018
 @40004afb1ab223d2d46c [12572] dbg: prefork: child 13018: just exited
 @40004afb1ab223d2e7f4 [12572] dbg: prefork: child 13018: entering
 state 4
 @40004afb1ab223d2fb7c [12572] dbg: prefork: new lowest idle kid: 12580
 @40004afb1ab223d30b1c [12572] info: spamd: handled cleanup of
 child pid 13018 due to SIGCHLD
 @40004afb1ab223d31ea4 [12572] dbg: prefork: new lowest idle kid: 12580
 @40004afb1ab223d3322c [12572] dbg: prefork: child closed connection
 @40004afb1ab223d341cc [12572] info: prefork: child states: II

 Any comments?

This is just the normal child cleanup.  You have set a maximum of 2 idle
children, so when there were 3, it killed one.  This happens constantly
as new children are created and old children are removed.

-- 
Bowie

Re: More of a philosophical question

2009-11-11 Thread John Hardin


On Wed, 11 Nov 2009, Philip A. Prindeville wrote:


This isn't so much of a technical question as a policy one.

I get a lot of spam which looks like:

Return-Path: evan_law...@davidark.net
Received: from web.biz.mail.sk1.yahoo.com (web.biz.mail.sk1.yahoo.com 
[74.6.114.43])
   by mail.redfish-solutions.com (8.14.3/8.14.3) with SMTP id nA8KXHbF007914
   for philipp_s...@redfish-solutions.com; Sun, 8 Nov 2009 13:33:23 -0700
Received: (qmail 77790 invoked by uid 60001); 8 Nov 2009 20:33:17 -
Message-ID: 223519.76757...@web.biz.mail.sk1.yahoo.com
X-YMail-OSG: 
ITTxzA0VM1nOPGrQYX7tAeYtgFhkzLHYo.qDHS6MrLwhvvaHzfjqTAnctUdZXTeTR0y.mWitx7Ou0luQLKnF_GvxGk_gsyrhQiecygtXxr.GNWFkWrkP57qwERbf1Af794h0lXoiyXseb3DTTSqteQCJJ4R8cnSOGFAQavXbUa1QwMHI24mWQEyMF4VkVtpK30oRxlaHVfyGuTXo9pDtTd3mfZScylE6lSYlZjaU8EFS8b8xILkwduj7dx_FW.i4q._BpZayBZY5A5rQb2y03bhl6aTzM9nfbFpY..dlKU7NJVZhLnPeDNRv8z3ZUCBQfsJCq2M5y9Os913jTPXpB1loucgEzfYocoVj6I081B.QNiRFwnUtANDRTHDyGogYeSccqeiSzPxhABGFEtTWY2D08epaNJbwPjU66HDWEjzzNUbzBXyRny0UzKp4HLBUX5tbKNJ8kbHotjEE7xtmcpzoqm.YpfEDl_9omvGsW1e7rThr60pemte_xsNIcarBts2PAXSgzJrZ8zveH287WUmL29olqa3kkksEeVIi4cFsYWNQgSuPqQXV6TLpim1VNZ8c_bzZ5J35fEiL1iJeDWndc.SFtUMwf2leifGkzwDYSrWxOmhux7a_.AC30.BaJQypPZx6YlCXVWlJ3PIIeP0O_.NLtkltfStJB_lS69d6vSh437.X25YQtDTOo3MxMqjNgPznHdmQZ4SFJtF9lfmcksrvoSlXDkiCwGl2qfo.Iuxuh0c.KyVqFlzdy8GgUQJpw9yPwB_aTG.kIs.8gIuUQ3AY3wkI0QEfDOWbqDN2Gr3uLzwvrJLo9UJ4HTDAni7dvTSnM2INbXq7YdCgpfBZ7_AhpLTvvXhY_Yu.aoLjLh1Ill2BwfLJGCZr3bNct0pTw2_o5FXrupA.1Pk3t04NhCaQ0Y0St36th.K7a7smbRBcZusdDeQewQ7l.kEf0i.2YTbqFLUyI4!

QJwhXs18Kj1g_SQf3shYJxhlHF6FvRqX88D6kLJjPspPvh4eC_XiYxBtaarV0ZXoBBVKUjSj04DP8RSrFZ1DBGT5s2Uz.ZUY78.ilZcXnhFt1Dz4JwjnG0a35n8xWOx6JbWTD5d25EDahowx340TjnAGyjlfxfzgdFPlaQC54EEbDZpvjU8fbah53jJkST2JdvVUEKivsflAEEU7Y5_l8LQzENtjAAYop8dpHadyQn1lAYzRwrpHF7ViBGMwd3gihfVZs_3onzYsoYsvwkNolkWORQcvbGWxFKfuQMJDL9Iaw4QKX0iIGErAWHIkWHnF6B48RFDMrGVyVrwjEhT7X50IKYbwK.EZid2Eme9x2ElFgATPBSmjhom14Ay9DuY77cJuY_MohirOKsbTgl3_nwv704SGy6.Vg.oAaEP29c8cOcMwXpzZDUeO0ZHXcIn9f7ujQlssq9EF4Yn79sQcgkBNeRMFAkLx_cx5Ez5a9rslAITdPSuHfK.X0YH3GAmV.ONy7VE9Uta5Tk4Z3JmjtHJ0AIrCIGy7ZonllVcF1nWkv4BA083jOSbsQqFBXtU5uOnhE-

Received: from [41.207.162.4] by web.biz.mail.sk1.yahoo.com via HTTP; Sun, 
08 Nov 2009 12:33:16 PST
X-Mailer: YahooMailClassic/8.1.6 YahooMailWebService/0.7.347.3
Date: Sun, 8 Nov 2009 12:33:16 -0800 (PST)
From: Evan Lawson evan_law...@davidark.net
Subject: Hello Dear Friend
To: undisclosed recipients: ;
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii

And I report this to Yahoo!.  They then answer:


...basically we don't care.


It's also factually incorrect.  The message didn't originate outside of
their service, since the line Received: ... via HTTP is basically
meaningless.  HTTP isn't a mail protocol.  This tells me that the
message originated via a Webmail submission on their website, which
means that someone had to log in with credentials... which means that
(a) they do in fact have control over whether that user's credentials
get yanked or not, and (b) the message didn't originate outside of their
service.


And they ignore you when you point this out to them?


We don't have a lot of users, so I'd be happy to blacklist Yahoo! until
they clean up their act... unfortunately a couple of correspondents to
this domain are Yahoo! users.

So what is the best course of action to take against Yahoo!?


Nuke them from orbit?

I've given up on reporting abuse to Yahoo!, it's too much work for too 
little result.


You could MTA reject Yahoo! webmail that has
   To: undisclosed recipients:

That probably wouldn't impact your users _too_ much.

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  The yardstick you should use when considering whether to support a
  given piece of legislation is what if my worst enemy is chosen to
  administer this law?
---
 Today: Veterans Day

Re: [sa] More of a philosophical question

2009-11-11 Thread Charles Gregory


On Wed, 11 Nov 2009, Philip A. Prindeville wrote:

Return-Path: evan_law...@davidark.net
Received: from web.biz.mail.sk1.yahoo.com 


The 'not from our server' response makes me think that Yahell needs
to update their e-mail response robot.

A while ago Yahell started partnering with companies like Rogers telecom 
here in Ontario, so that they were the e-mail 'provider' for any of Rogers 
DSL customers, many of whom have addresses at domains *other* than Yahell. 
I would suspect that they adjusted their mail interface to allow custom 
envelope senders from these sources, but did not update theior robot to 
handle the case where Return-Path is not a Yahoo address


Either that or the server name is 'new' and not handled by the robot.
Either way, I would find a way to MUNG the contents of the e-mail 
sufficiently that Yahoo can no longer 'parse' the headers and 'auto 
respond'. Then you might get a human to look at it MAYBE. :)


- Charles

Re: sought rules

2009-11-11 Thread Justin Mason

Hi guys --

the problem is that SOUGHT uses gigabytes of private mail, so running
that on a shared host is not viable. Currently we don't have anything
like that I can use :(

On Wednesday, November 11, 2009, George R. Kasica geor...@netwrx1.com wrote:
On Wed, 11 Nov 2009 12:09:09 -0500, you wrote:

Hi,

 Yep -- sorry -- I got to reboot the server, but it appears to have not
 fixed the problem.
 Right now I'm not likely to be able to perform more investigation for a week
 or two. :(

 Sorry about this -- the perils of volunteer infrastructure!

Where is it physically located? Isn't there someone in the area that
you trust, or could trust, to go and fix it? I guess if there was, you
would have done that, but I'm sure you could find some volunteers to
put it up in a more centrally-located or managed location for the
future, if you'd like.

Off-site backup? At the least, I'm sure someone could contribute
there. I've got a few servers, and would be happy to provide remote
ssh/rsync access to someone, should you like.

 Truewhat do you need to host this thingif I can help out with
 space/bandwidth I'd be willing. I've got a couple linux boxes here
 that I could give you some space on.

 George
 --
 ===[George R. Kasica]===        +1 262 677 0766
 President                       +1 206 374 6482 FAX
 Netwrx Consulting Inc.          Jackson, WI USA
 http://www.netwrx1.com
 geor...@netwrx1.com
 ICQ #12862186



-- 
--j.

Re: More of a philosophical question

2009-11-11 Thread Mark Martinec

On Wednesday November 11 2009 22:33:12 Philip A. Prindeville wrote:
 This isn't so much of a technical question as a policy one.
 
 I get a lot of spam which looks like:
 
 Return-Path: evan_law...@davidark.net
 Received: from web.biz.mail.sk1.yahoo.com
  (web.biz.mail.sk1.yahoo.com [74.6.114.43])

$ whois 74.6.114.43

OrgName:Inktomi Corporation
OrgID:  INKT   
Address:701 First Ave  
City:   Sunnyvale  
StateProv:  CA 
PostalCode: 94089  
Country:US 

NetRange:   74.6.0.0 - 74.6.255.255
CIDR:   74.6.0.0/16
NetName:INKTOMI-BLK-6  


The IP address is not registered as belonging to Yahoo.
The message is also missing their DKIM and DK signatures.


John Hardin  writes:
 I've given up on reporting abuse to Yahoo!, it's too much work
 for too little result.

I'm regularly reporting fraud mail (don't care for spam, just fraud)
confirmed to be from Yahoo! by their valid DKIM signature and
from their IP address space, and practically all my reports
receive a positive acknowledge - with rare exceptions, possibly
due to handling by different/new(?) helpdesk operators.

  Mark

Re: [Fwd: Re: Getting off the Cloudmark formerly spamnet blacklist]

2009-11-11 Thread Ted Mittelstaedt


Giampaolo Tomassoni wrote:

Michael Scheidell wrote:

...omissis...

If our clients were DELIBERATELY spamming, say they thought they 
were going to send out a marketing mail or some such, then you

would be correct.

But they were not.  They were simply using the largest software 
company on Earth's products - Microsoft - like everyone else in the

world who has those products do.

I have a Mac G4 running OSX  sitting on my desk here, next to my 
Windows box.  I also have a FreeBSD system running FreeBSD6 and 
firefox 3 in the other room.


On either of those systems I could have done EXACTLY THE SAME THING
 that the user at this client who got cracked into did - I could 
have opened the same e-mails, gone to the same websites, etc. - and

 I WOULDN'T have been cracked.

So, explain again why this was THEIR fault?  Don't you think that 
the botnet writer has just a tiny tiny bit of blame here?  What

about the software developer being paid more money than God sitting
up in a nice comfortable office in Redmond who wrote that piece of
shit that our client was using, and included dozens of security
holes that are exploited by botnet writers, don't you think that HE
 has just a tiny tiny bit of culpability?

Every other current production operating system on the face of the 
earth doesn't seem to be regularly hijacked by spammers.  So, why

are you going to give Microsoft a pass?

Why exactly is it that when a user of Microsoft Windows doesn't 
apply patches that it's their fault when their system is cracked? 
What exactly do you think a patch IS?  If their system had been

written properly in the beginning it wouldn't need to be patched.
If they weren't logged in as administrator - which is necessary for
Windows desktop systems since most Windows software developers are
shit-ass lazy bastards who ignore the Microsoft directives about
writing usermode programs so they don't have to run as the root, I
mean administrative, user to get any functionality out of them -
then even if they had been cracked it would only be their profile
trashed, and the bot wouldn't go any further.

If you write software for Apple and you do it in such a way that 
your MacOS X software requires root access to run, then if your 
software gets ANY amount of visibility, you will get a call from 
Apple politely trying to educate you, and if you ignore this then 
they get nasty, and if you ignore that, then they publically speak 
against your software - and then all the Apple users will stop 
buying your shit, and you will be out of business.


What, you think Microsoft has LESS pull than Apple in this area, 
and couldn't do the same thing?


In the last 3-4 years there's been less than 5 root-exploitable 
holes in Apache - which is arguably the most popular UNIX program 
ever, and is installed on the most Unix systems in the world - yet

Apache isn't even installed on all of them.  I can't remember when
the last root-exploit came out for a program that is enabled on
FreeBSD out of the box - it might have been the Telnet bug so many
years ago.

Yet, every week there's DOZENS of security patches that MS releases
 for XP and Vista and soon, Windows 7.

So, please save your moralizing.  Microsoft is the richest software
 company in the world, they get PAID REAL MONEY by everyone that
uses their crap - yet they can't produce a secure OS to save their
lives. By contrast, Debian, Ubuntu, FreeBSD, OpenBSD - all UNPAID,
and all ROUTINELY release os's that are not attackable by botnets.
And Apple used FreeBSD as it's base for Darwin - and they ALSO have
no problems in this regard either.  Please, name 5 viruses that
routinely attack MacOSX.

Our clients retain outside expertise because THEY KNOW THEY ARE 
BONEHEADS when it comes to software.  And, your expecting boneheads

 to actually see through the ten thousand tons of marketing
BULLCRAP that Microsoft's bowl movements dump on the business world
every year, claiming their stuff is so great, so secure, so
all-fired-wonderful?

You say the world really needs to protect itself from botnets? 
Jesus, I think the world REALLY needs to protect itself from 
MICROSOFT.  They OBVIOUSLY have absolutely NO SENSE WHATSOEVER of
responsibility for the piece-o-shit, holey as swiss cheese, 
crapware that they stick up the collective ass of the world's 
businesses every year.


I can almost excuse the botnet writers - they at least are amoral
sociopaths and are doing EXACTLY as I would expect criminals to
behave.  But, Microsoft couldn't be more two-faced if every one of
their employees had eyes, ears, nose and a mouth on the back of
their heads.  They EVEN HAD a secure security model - remember NT
3.51?  You know, the ONLY version of Windows where ring 0 was
separated from usermode programs?  And they chucked that out with
NT4 when they pushed the video system into ring 0 so that crap-ass
games could run faster.  Who cares that it allowed malware to take
over the system.

Michael, get some perspective,

Re: sought rules

2009-11-11 Thread LuKreme

On 11-Nov-2009, at 11:37, George R. Kasica wrote:
 Truewhat do you need to host this thingif I can help out with
 space/bandwidth I'd be willing. I've got a couple linux boxes here
 that I could give you some space on.

I've got a pretty solid business-cable connection at home and my server is up 
pretty much 24/7/365, depending on bandwidth I could donate some. (I've got 
about 3Mb up)

-- 
But you read a lot of books, I'm thinking. Hard to have faith,
ain't it, when you've read too many books?

Re: [Fwd: Re: Getting off the Cloudmark formerly spamnet blacklist]

2009-11-11 Thread LuKreme

On 11-Nov-2009, at 18:34, Ted Mittelstaedt wrote:
 I will point out that MacOS 7, os*  os9 were HIGHLY virus-prone,
 yet there were far fewer of them than OSX today.


Er… that is simply not true. Not in anyway.

As I recall, there were a total of 31 viruses for System 7 and one CD-ROM worm 
for System 8/9 (Autostart Worm).


-- 
Strange things are afoot at the Circle K

Re: More of a philosophical question

2009-11-11 Thread LuKreme

On 11-Nov-2009, at 14:33, Philip A. Prindeville wrote:
 And I report this to Yahoo!


Yahoo is more and more like hotmail.  I simply bin everything, mark them up, 
and recommend that people stop using them. They are extremely difficult to work 
with, seem to be staffed by total morons (as in your case where they can't even 
tell that the spam originated from their servers), and don't give a crap about 
their users spamming through them.

-- 
'I knew the two of you would get along like a house on fire.' Screams, flames, 
people running for safety... --Pyramids

Re: More of a philosophical question

2009-11-11 Thread RW

On Thu, 12 Nov 2009 01:45:00 +0100
Mark Martinec mark.martinec...@ijs.si wrote:


 The IP address is not registered as belonging to Yahoo.
 The message is also missing their DKIM and DK signatures.

OTOH it does have full-circle dns that ends in yahoo.com.

Re: More of a philosophical question

2009-11-11 Thread LuKreme

On 11-Nov-2009, at 17:45, Mark Martinec wrote:
 The IP address is not registered as belonging to Yahoo.
 The message is also missing their DKIM and DK signatures.


Yes it is.

Wikipedia:
After the bursting of the dot-com bubble, Inktomi was acquired byYahoo!

-- 
i wasn't born a programmer. i became one because i was 
impatient. - Dave Winer

Re: More of a philosophical question

2009-11-11 Thread RW

On Thu, 12 Nov 2009 02:54:10 +
RW rwmailli...@googlemail.com wrote:

 On Thu, 12 Nov 2009 01:45:00 +0100
 Mark Martinec mark.martinec...@ijs.si wrote:
 
 
  The IP address is not registered as belonging to Yahoo.
  The message is also missing their DKIM and DK signatures.
 
 OTOH it does have full-circle dns that ends in yahoo.com.

I put Inktomi Corporation into Google, and it appears that they are a
software development company that's owned by Yahoo.

sought rules

RE: [Fwd: Re: Getting off the Cloudmark formerly spamnet blacklist]

Re: Regex Question

Re: Development dead

possible Kerio msg-id bork

Re: Development dead

Re: sought rules

RE: JMF_W URIBL_BLACK

Re: JMF_W URIBL_BLACK

Re: Hostkarma: to be or not to be in SA defaults

Re: false positive on hostkarma blacklist

Re: false positive on hostkarma blacklist

Re: sought rules

Re: sought rules

Re: sought rules

spamd SIGCHLD

Re: sought rules

sa-learn runs, but doesn't seem to learn anything

Re: sa-learn runs, but doesn't seem to learn anything

RE: spamd SIGCHLD

Re: spamd SIGCHLD

More of a philosophical question

Re: More of a philosophical question

Re: [sa] More of a philosophical question

Re: sought rules

Re: More of a philosophical question

Re: [Fwd: Re: Getting off the Cloudmark formerly spamnet blacklist]

Re: sought rules

Re: [Fwd: Re: Getting off the Cloudmark formerly spamnet blacklist]

Re: More of a philosophical question

Re: More of a philosophical question

Re: More of a philosophical question

Re: More of a philosophical question

33 matches

Site Navigation

Mail list logo

Footer information