date:20091115

DNSBL Comparison 20091114

2009-11-15 Thread Warren Togami

http://mail-archives.apache.org/mod_mbox/spamassassin-users/200910.mbox/%3c4ad11c44.9030...@redhat.com%3e
Compare this report to a similar report last month.

http://wiki.apache.org/spamassassin/NightlyMassCheck
The results below are only as good as the data submitted by nightly
masscheck volunteers. Please join us in nightly masschecks to increase
the sample size of the corpora so we can have greater confidence in
the nightly statistics.

http://ruleqa.spamassassin.org/20091114-r836144-n
Spam 131399 messages from 18 users
Ham 189948 messages from 18 users

DNSBL lastexternal by Safety

SPAM%HAM%RANK RULE
12.8342% 0.0021% 0.94 RCVD_IN_PSBL *
12.3053% 0.0026% 0.94 RCVD_IN_XBL
31.2499% 0.0827% 0.87 RCVD_IN_ANBREP_BL *2
80.2578% 0.1485% 0.86 RCVD_IN_PBL
27.1836% 0.1985% 0.79 RCVD_IN_SORBS_DUL
19.8213% 0.1785% 0.79 RCVD_IN_SEMBLACK *
90.9360% 0.3854% 0.77 RCVD_IN_BRBL_LASTEXT
13.0564% 0.4838% 0.67 RCVD_IN_HOSTKARMA_BL *

Commentary:
* PSBL and XBL lead in apparent safety.
* ANBREP was added after the October report and has made a surprisingly
strong showing in this past month. ANBREP is currently unavailable to
the general public. The list owner is thinking about going public with
the list, which I would encourage because they are clearly doing
something right. It seems he would need a global network of automated
mirrors to be able to scale. He would also need listing/delisting
policy clearly stated on a web page somewhere.
* SEMBLACK consistently has been performing adequately in safety while
catching a respectable amount of spam. I personally use this
non-default blacklist.
* It is clear that the two main blacklists are Spamhaus and BRBL. The
Zen combinatoin of Spamhaus zones is extremely effective and generally
safe. BRBL has a high hit rate as well, with a moderate safety rating.
* HOSTKARMA_BL ranks dead last in safety for the past several weeks in a
row, while not being more effective against spam than PSBL, XBL or SEMBLACK.

===
HOSTKARMA_BL much better as URIBL
===
SPAM%HAM%RANK RULE
68.3651% 0.2806% 0.79 URIBL_HOSTKARMA_BL *

Commentary:
While HOSTKARMA_BL is pretty unsafe as a plain DNSBL, it is surprisingly
effective as a URIBL. This is curious as it seems it was not designed
to be used as a URIBL. In any case as long our masschecks show good
statistics like this, I will personally use this on my own spamassassin
server.

=
SPAMCOP Dangerous?
=
SPAM%HAM%RANK RULE
17.4225% 2.6076% 0.56 RCVD_IN_BL_SPAMCOP_NET *

Commentary:
Is Spamcop seriously this bad? It consistently has shown a high false
positive rates in these past weeks. Was it safer than this in the past
to warrant the current high score in spamassassin-3.2.5?

Warren Togami
wtog...@redhat.com

Re: Good reasons to dont use RBLs

2009-11-15 Thread mouss

Luis Daniel Lucio Quiroz a écrit :
 Hi all,
 
 Again me,  Well, in the security scope i use a principle that states that you 
 souldnt use a lower layer solution to fix a higher one.  So SPAM is a Layer 7 
 problem that is used to fixed with a Layer 3 solution (RBL).  
 
 I'd like a brainstorm to convince that a RBL solution is not the best stoping 
 SPAM, and we should look for L7 solution such as Bayes.
 


If someone tries to guess a working login:pass on your server and does
this a thousand times in a short period, you will still let him continue
because passwords are L7 and the IP address is at L3?

if you want talking about principles, then defence in depth suggests
using all your levels to block attacks.

In short, segment your zones, your diagrams, your reports, but do not
segment your defences. When you hear divide and conquer, divide the
problem, not your army. you still want to coordinate your defences so as
to increase their efficiency.

Besides, spam is at Layer PI (3.1415) ;-p

Re: DNSBL Comparison 20091114

2009-11-15 Thread Raymond Dijkxhoorn


Hi!


27.1836% 0.1985% 0.79 RCVD_IN_SORBS_DUL
19.8213% 0.1785% 0.79 RCVD_IN_SEMBLACK *
90.9360% 0.3854% 0.77 RCVD_IN_BRBL_LASTEXT
13.0564% 0.4838% 0.67 RCVD_IN_HOSTKARMA_BL *



* It is clear that the two main blacklists are Spamhaus and BRBL.  The
Zen combinatoin of Spamhaus zones is extremely effective and generally
safe.  BRBL has a high hit rate as well, with a moderate safety rating.


Thats moderate? That you loose 1 legitimate mail over ~ 3000 mails 
if you start blocking with it ?


I think the FP rating should be much much lower and like BRBL they should 
check and cleanout FP's before it will be taken anything close to serious.



===
HOSTKARMA_BL much better as URIBL
===
SPAM%HAM%RANK RULE
68.3651% 0.2806% 0.79 URIBL_HOSTKARMA_BL *


How do you check return values? There is a lot inside. If you 'just' use 
the default response you get back any spam listed on a freemail platform 
and so on. Is there no legitimate mail from those platforms? I tend to 
say, yeah right. But for the fairly limited test set it could be the case.


You have to know whats inside to do proper suggestions. If it works for 
you, sure, will it work for others. If you care about your inbox i would 
not jump to these conslusions just now.


Just my 2 cents.

And yes, Spamcop is doing a bad job (As BL) nowdays, i would not even 
consider rejecting on MTA with that one. Use it to score, but dont use it 
to reject. That time is long gone. User reports do have disadvantages ;)


Bye,
Raymond.

Re: DNSBL Comparison 20091114

2009-11-15 Thread rich...@buzzhost.co.uk

On Sun, 2009-11-15 at 03:14 -0500, Warren Togami wrote:
http://mail-archives.apache.org/mod_mbox/spamassassin-users/200910.mbox/%3c4ad11c44.9030...@redhat.com%3e
Compare this report to a similar report last month.

http://ruleqa.spamassassin.org/20091114-r836144-n
Spam 131399 messages from 18 users
Ham 189948 messages from 18 users

DNSBL lastexternal by Safety

===
HOSTKARMA_BL much better as URIBL
===
SPAM%HAM%RANK RULE
68.3651% 0.2806% 0.79 URIBL_HOSTKARMA_BL *

=
SPAMCOP Dangerous?
=
SPAM%HAM%RANK RULE
17.4225% 2.6076% 0.56 RCVD_IN_BL_SPAMCOP_NET *

Warren Togami
wtog...@redhat.com

Is it not a bit flawed to do the metrics on volunteer submissions, given
the Spamhaus has is said to have a small army of them? It means the data
cannot be relied upon as any kind of sensible comparison.

Re: DNSBL Comparison 20091114

2009-11-15 Thread Henrik K

On Sun, Nov 15, 2009 at 10:08:45AM +0100, Raymond Dijkxhoorn wrote:
 ===
 HOSTKARMA_BL much better as URIBL
 ===
 SPAM%HAM%RANK RULE
 68.3651% 0.2806% 0.79 URIBL_HOSTKARMA_BL *

 How do you check return values? There is a lot inside. If you 'just' use  
 the default response you get back any spam listed on a freemail platform  
 and so on. Is there no legitimate mail from those platforms? I tend to  
 say, yeah right. But for the fairly limited test set it could be the 
 case.

I tried reading this several times, but I'm still not sure what you are
getting at.

http://svn.apache.org/viewvc/spamassassin/trunk/rulesrc/sandbox/wtogami/20_bug_6212_hostkarma.cf?view=markup

Personally URIBL_HOSTKARMA_FRESH_2D is working great here with 0.99 S/O. But
as we know, hostkarma results might fluctuate from time to time given it's
nature.

Anyways, it's a fact that SA mass checks can't measure things accurately,
since not everyone uses the REUSE mass check feature. Checking weeks old
corpuses against live BLs isn't exactly good science. And things like
FRESH_2D are impossible to rate that way.

Cluster/Clone spamassassin node

2009-11-15 Thread ewreg


Good morning,

I am preparing env with more then 10 node of spamassassin machine. I am
wonder what kind of software do you use to clone OS and Spamassassin
application to the other machine. I am gonne use Debian, I find FAI but it
won't migrate  SA database. So it isn't the best choise.

What it your experience?


Best regards,
E.
-- 
View this message in context: 
http://old.nabble.com/Cluster-Clone-spamassassin-node-tp26358800p26358800.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Cluster/Clone spamassassin node

2009-11-15 Thread Patrick Ben Koetter

* ewreg ew-...@mailbox.com.pl:
 
 Good morning,
 
 I am preparing env with more then 10 node of spamassassin machine. I am
 wonder what kind of software do you use to clone OS and Spamassassin
 application to the other machine. I am gonne use Debian, I find FAI but it
 won't migrate  SA database. So it isn't the best choise.

We use cfengine to install, configure software and also to check for
compliance. 

As for databases I recommend using a SQL backend and have the SQL
servers in some sort of HA master-slave setup.

p...@rick


-- 
state of mind
Digitale Kommunikation

http://www.state-of-mind.de

Franziskanerstraße 15  Telefon +49 89 3090 4664
81669 München  Telefax +49 89 3090 4666

Amtsgericht MünchenPartnerschaftsregister PR 563

Re: DNSBL Comparison 20091114

2009-11-15 Thread Marc Perkel

Warren Togami wrote:
http://mail-archives.apache.org/mod_mbox/spamassassin-users/200910.mbox/%3c4ad11c44.9030...@redhat.com%3e

Compare this report to a similar report last month.

http://wiki.apache.org/spamassassin/NightlyMassCheck
The results below are only as good as the data submitted by nightly
masscheck volunteers. Please join us in nightly masschecks to
increase the sample size of the corpora so we can have greater
confidence in the nightly statistics.

http://ruleqa.spamassassin.org/20091114-r836144-n
Spam 131399 messages from 18 users
Ham 189948 messages from 18 users

DNSBL lastexternal by Safety

Commentary:
* PSBL and XBL lead in apparent safety.
* ANBREP was added after the October report and has made a
surprisingly strong showing in this past month. ANBREP is currently
unavailable to the general public. The list owner is thinking about
going public with the list, which I would encourage because they are
clearly doing something right. It seems he would need a global
network of automated mirrors to be able to scale. He would also need
listing/delisting policy clearly stated on a web page somewhere.
* SEMBLACK consistently has been performing adequately in safety while
catching a respectable amount of spam. I personally use this
non-default blacklist.
* It is clear that the two main blacklists are Spamhaus and BRBL. The
Zen combinatoin of Spamhaus zones is extremely effective and generally
safe. BRBL has a high hit rate as well, with a moderate safety rating.
* HOSTKARMA_BL ranks dead last in safety for the past several weeks in
a row, while not being more effective against spam than PSBL, XBL or
SEMBLACK.

===
HOSTKARMA_BL much better as URIBL
===
SPAM%HAM%RANK RULE
68.3651% 0.2806% 0.79 URIBL_HOSTKARMA_BL *

Commentary:
While HOSTKARMA_BL is pretty unsafe as a plain DNSBL, it is
surprisingly effective as a URIBL. This is curious as it seems it was
not designed to be used as a URIBL. In any case as long our
masschecks show good statistics like this, I will personally use this
on my own spamassassin server.

=
SPAMCOP Dangerous?
=
SPAM%HAM%RANK RULE
17.4225% 2.6076% 0.56 RCVD_IN_BL_SPAMCOP_NET *

Commentary:
Is Spamcop seriously this bad? It consistently has shown a high false
positive rates in these past weeks. Was it safer than this in the
past to warrant the current high score in spamassassin-3.2.5?

Warren Togami
wtog...@redhat.com

All I can say is that if your results were typical then we would be out
of business. Your results are inconsistent with two other comparison lists.

http://www.intra2net.com/en/support/antispam/blacklist.php_dnsbl=RCVD_IN_JMF_BL.html
http://www.sdsc.edu/~jeff/spam/cbc.html

Additionally results vary depending on where you get your spam from and
if the people spamming you are also spamming us. One of the ways we
improve results is if someone is using out list then they should also
add tarbaby.junkemailfilter.com as their highest MX record because that
way the list can pick up those who are spamming you and tune itself to
add your spam to our list.

I also doubt we are as good of a URIBL as your resukts indicate. I'm
thinking we got lucky on your test somehow. Although behind the scenes
we do feed a lot of data to other RBL people so maybe it's related somehow.

Not to discredit your fine work. All results are interesting.
Understanding the results is often the tricky part.

Re: Cluster/Clone spamassassin node

2009-11-15 Thread ewreg


We use cfengine to install, configure software and also to check for
compliance. 

As I see, I can install software over the cfengine. But can I make mirror
with cfengine? I would like to clone some local files to all n-servers. I
think it can't be done with the help of this software.

TiA,
E.


-- 
View this message in context: 
http://old.nabble.com/Cluster-Clone-spamassassin-node-tp26358800p26360404.html
Sent from the SpamAssassin - Users mailing list archive at Nabble.com.

Re: Cluster/Clone spamassassin node

2009-11-15 Thread Mike Cardwell

ewreg wrote:

 We use cfengine to install, configure software and also to check for
 compliance. 
 
 As I see, I can install software over the cfengine. But can I make mirror
 with cfengine? I would like to clone some local files to all n-servers. I
 think it can't be done with the help of this software.

rsync? unison? glusterfs? gfs over drdb? A nas with NFS/CIFS mounts?
DropBox? s3fs? There are a million ways to share files between multiple
servers.

-- 
Mike Cardwell - IT Consultant and LAMP developer
Cardwell IT Ltd. (UK Reg'd Company #06920226) http://cardwellit.com/
Technical Blog: https://secure.grepular.com/blog/

Re: DNSBL Comparison 20091114

2009-11-15 Thread Warren Togami

On 11/15/2009 11:00 AM, Marc Perkel wrote:

Warren Togami wrote:

http://mail-archives.apache.org/mod_mbox/spamassassin-users/200910.mbox/%3c4ad11c44.9030...@redhat.com%3e

Compare this report to a similar report last month.

http://ruleqa.spamassassin.org/20091114-r836144-n
Spam 131399 messages from 18 users
Ham 189948 messages from 18 users

DNSBL lastexternal by Safety

SPAM% HAM% RANK RULE
12.8342% 0.0021% 0.94 RCVD_IN_PSBL *
12.3053% 0.0026% 0.94 RCVD_IN_XBL
31.2499% 0.0827% 0.87 RCVD_IN_ANBREP_BL *2
80.2578% 0.1485% 0.86 RCVD_IN_PBL
27.1836% 0.1985% 0.79 RCVD_IN_SORBS_DUL
19.8213% 0.1785% 0.79 RCVD_IN_SEMBLACK *
90.9360% 0.3854% 0.77 RCVD_IN_BRBL_LASTEXT
13.0564% 0.4838% 0.67 RCVD_IN_HOSTKARMA_BL *

Commentary:
* PSBL and XBL lead in apparent safety.
* ANBREP was added after the October report and has made a
surprisingly strong showing in this past month. ANBREP is currently
unavailable to the general public. The list owner is thinking about
going public with the list, which I would encourage because they are
clearly doing something right. It seems he would need a global network
of automated mirrors to be able to scale. He would also need
listing/delisting policy clearly stated on a web page somewhere.
* SEMBLACK consistently has been performing adequately in safety while
catching a respectable amount of spam. I personally use this
non-default blacklist.
* It is clear that the two main blacklists are Spamhaus and BRBL. The
Zen combinatoin of Spamhaus zones is extremely effective and generally
safe. BRBL has a high hit rate as well, with a moderate safety rating.
* HOSTKARMA_BL ranks dead last in safety for the past several weeks in
a row, while not being more effective against spam than PSBL, XBL or
SEMBLACK.

===
HOSTKARMA_BL much better as URIBL
===
SPAM% HAM% RANK RULE
68.3651% 0.2806% 0.79 URIBL_HOSTKARMA_BL *

Commentary:
While HOSTKARMA_BL is pretty unsafe as a plain DNSBL, it is
surprisingly effective as a URIBL. This is curious as it seems it was
not designed to be used as a URIBL. In any case as long our masschecks
show good statistics like this, I will personally use this on my own
spamassassin server.

=
SPAMCOP Dangerous?
=
SPAM% HAM% RANK RULE
17.4225% 2.6076% 0.56 RCVD_IN_BL_SPAMCOP_NET *

Warren Togami
wtog...@redhat.com

All I can say is that if your results were typical then we would be out
of business. Your results are inconsistent with two other comparison lists.

http://www.intra2net.com/en/support/antispam/blacklist.php_dnsbl=RCVD_IN_JMF_BL.html

http://ruleqa.spamassassin.org/20091114-r836144-n
http://www.intra2net.com/en/support/antispam/index.php
Both of these sites show roughly similar FP rates. Both sites show
nearly 0% PSBL and ~0.5% HOSTKARMA.

http://www.sdsc.edu/~jeff/spam/cbc.html

This page says nothing about FP's.

It seems that your list was not meant to be a URIBL, (it isn't
documented as such) but Henrik suggested adding that testing rule to our
weekly masschecks. The URIBL results have been pretty consistent for
weeks now. Yes, perhaps this is luck.

Warren

balancechecker.zip balancechecker.exe

2009-11-15 Thread rich...@buzzhost.co.uk

Is anyone else seeing an influx of spam with a zip attachment
balancechecker.zip?

This contains a windows executable, balancechecker.exe, which appears to
be testing clean with clam and others.

I'm inclined to think it's *not* clean and is viral.

EXAMPLE
http://pastebin.com/m730f90e9

Re: Cluster/Clone spamassassin node

2009-11-15 Thread Patrick Ben Koetter

* ewreg ew-...@mailbox.com.pl:
 
 We use cfengine to install, configure software and also to check for
 compliance. 
 
 As I see, I can install software over the cfengine. But can I make mirror
 with cfengine? I would like to clone some local files to all n-servers. I
 think it can't be done with the help of this software.

AFAIK you can't. It's a one server to n clients rollout strategie. But there's
an enormous number of alternatives starting from rsync to cluster filesystem
solutions as others already have pointed out.

Another concept may be to have the clients load their config from a database.
You can't load everything this way, but it may suffice. It depends on your
setup.

You may want to let us in on the details and we may be of better help.

p...@rick

-- 
state of mind
Digitale Kommunikation

http://www.state-of-mind.de

Franziskanerstraße 15  Telefon +49 89 3090 4664
81669 München  Telefax +49 89 3090 4666

Amtsgericht MünchenPartnerschaftsregister PR 563

Re: balancechecker.zip balancechecker.exe

2009-11-15 Thread Benny Pedersen


On søn 15 nov 2009 18:47:49 CET, rich...@buzzhost.co.uk wrote

http://pastebin.com/m730f90e9


winnow.malware.8163


--
xpoint

Re: DNSBL Comparison 20091114

2009-11-15 Thread Justin Mason

On Sun, Nov 15, 2009 at 08:53, rich...@buzzhost.co.uk
rich...@buzzhost.co.uk wrote:
On Sun, 2009-11-15 at 03:14 -0500, Warren Togami wrote:
http://mail-archives.apache.org/mod_mbox/spamassassin-users/200910.mbox/%3c4ad11c44.9030...@redhat.com%3e
Compare this report to a similar report last month.

http://ruleqa.spamassassin.org/20091114-r836144-n
Spam 131399 messages from 18 users
Ham 189948 messages from 18 users

DNSBL lastexternal by Safety

SPAM% HAM% RANK RULE
12.8342% 0.0021% 0.94 RCVD_IN_PSBL *
12.3053% 0.0026% 0.94 RCVD_IN_XBL
31.2499% 0.0827% 0.87 RCVD_IN_ANBREP_BL *2
80.2578% 0.1485% 0.86 RCVD_IN_PBL
27.1836% 0.1985% 0.79 RCVD_IN_SORBS_DUL
19.8213% 0.1785% 0.79 RCVD_IN_SEMBLACK *
90.9360% 0.3854% 0.77 RCVD_IN_BRBL_LASTEXT
13.0564% 0.4838% 0.67 RCVD_IN_HOSTKARMA_BL *

===
HOSTKARMA_BL much better as URIBL
===
SPAM% HAM% RANK RULE
68.3651% 0.2806% 0.79 URIBL_HOSTKARMA_BL *

=
SPAMCOP Dangerous?
=
SPAM% HAM% RANK RULE
17.4225% 2.6076% 0.56 RCVD_IN_BL_SPAMCOP_NET *

Warren Togami
wtog...@redhat.com

please explain. How would you suggest measuring false positives?

--
--j.

Re: DNSBL Comparison 20091114

2009-11-15 Thread Justin Mason

 SPAM%    HAM%    RANK RULE
 12.8342% 0.0021% 0.94 RCVD_IN_PSBL *
 12.3053% 0.0026% 0.94 RCVD_IN_XBL
 31.2499% 0.0827% 0.87 RCVD_IN_ANBREP_BL *2
 80.2578% 0.1485% 0.86 RCVD_IN_PBL
 27.1836% 0.1985% 0.79 RCVD_IN_SORBS_DUL
 19.8213% 0.1785% 0.79 RCVD_IN_SEMBLACK *
 90.9360% 0.3854% 0.77 RCVD_IN_BRBL_LASTEXT
 13.0564% 0.4838% 0.67 RCVD_IN_HOSTKARMA_BL *

hi Warren --

any chance you could post the S/O ratios?  RANK is a bit unportable,
as it depends on other rules in the ruleset at the time the
measurement takes place.

--j.

Re: Good reasons to dont use RBLs

2009-11-15 Thread Arvid Picciani


Luis Daniel Lucio Quiroz wrote:

Hi all,

Again me,  Well, in the security scope i use a principle that states that you 
souldnt use a lower layer solution to fix a higher one.  So SPAM is a Layer 7 
problem that is used to fixed with a Layer 3 solution (RBL).  

I'd like a brainstorm to convince that a RBL solution is not the best stoping 
SPAM, and we should look for L7 solution such as Bayes.




SA has no effect on L3

--
Arvid
Asgaard Technologies

Re: DNSBL Comparison 20091114

2009-11-15 Thread Warren Togami


On 11/15/2009 03:36 PM, Justin Mason wrote:

SPAM%HAM%RANK RULE
12.8342% 0.0021% 0.94 RCVD_IN_PSBL *
12.3053% 0.0026% 0.94 RCVD_IN_XBL
31.2499% 0.0827% 0.87 RCVD_IN_ANBREP_BL *2
80.2578% 0.1485% 0.86 RCVD_IN_PBL
27.1836% 0.1985% 0.79 RCVD_IN_SORBS_DUL
19.8213% 0.1785% 0.79 RCVD_IN_SEMBLACK *
90.9360% 0.3854% 0.77 RCVD_IN_BRBL_LASTEXT
13.0564% 0.4838% 0.67 RCVD_IN_HOSTKARMA_BL *


hi Warren --

any chance you could post the S/O ratios?  RANK is a bit unportable,
as it depends on other rules in the ruleset at the time the
measurement takes place.

--j.


I intentionally posted only RANK because it seems to be most influenced 
by safety, which is the goal of this particular comparison.


Warren

Re: balancechecker.zip balancechecker.exe

2009-11-15 Thread Ralph Bornefeld-Ettmann


rich...@buzzhost.co.uk schrieb:

Is anyone else seeing an influx of spam with a zip attachment
balancechecker.zip?

This contains a windows executable, balancechecker.exe, which appears to
be testing clean with clam and others.

I'm inclined to think it's *not* clean and is viral.

EXAMPLE
http://pastebin.com/m730f90e9




I really do not think it is clean. It really sounds like a typical bogus 
mail.


see also here : 
http://www.sophos.com/blogs/gc/g/2009/11/13/email-vodafone-limit-credit-balance-beware/

Re: DNSBL Comparison 20091114

2009-11-15 Thread rich...@buzzhost.co.uk

On Sun, 2009-11-15 at 20:34 +, Justin Mason wrote:
On Sun, Nov 15, 2009 at 08:53, rich...@buzzhost.co.uk
rich...@buzzhost.co.uk wrote:
On Sun, 2009-11-15 at 03:14 -0500, Warren Togami wrote:
http://mail-archives.apache.org/mod_mbox/spamassassin-users/200910.mbox/%3c4ad11c44.9030...@redhat.com%3e
Compare this report to a similar report last month.

http://ruleqa.spamassassin.org/20091114-r836144-n
Spam 131399 messages from 18 users
Ham 189948 messages from 18 users

DNSBL lastexternal by Safety

===
HOSTKARMA_BL much better as URIBL
===
SPAM%HAM%RANK RULE
68.3651% 0.2806% 0.79 URIBL_HOSTKARMA_BL *

=
SPAMCOP Dangerous?
=
SPAM%HAM%RANK RULE
17.4225% 2.6076% 0.56 RCVD_IN_BL_SPAMCOP_NET *

Warren Togami
wtog...@redhat.com

please explain. How would you suggest measuring false positives?

Do you think that volunteer submissions are an accurate way to do them,
or do you think that is open to abuse?

For example, say I am Steve Linford with a small army of volunteers. I
get a few false positives come in from Spamhaus, and a few from SORBS.
What is my inclination when I submit the data?

It takes only a small amount of research and a trawl through the NANAE
archives to get a handle on the problem, and the general abuse and
nefarious goings on with DNSBL volunteers. It is fair to say that there
is not much love lost.

I'm not pretending I have the answers, so it's probably better to take
these lists with a large bucket of salt and find how any given DNSBL
list works for a given organisation.

In a world where presidents and world leaders in America, Zimbabwe and
Afghanistan get 'elected' on tainted data, some random RBL 'comparison'
list is a trivial by comparison. It must, however, be duly remembered
that there are many competing 'sides' in the world of the DNSBL's, each
looking to do the other discredit.

Perhaps Jim, as you posed the question - you have some strong feelings
on the matter that you would like to share?

Re: balancechecker.zip balancechecker.exe

2009-11-15 Thread rich...@buzzhost.co.uk

On Mon, 2009-11-16 at 00:07 +0100, Ralph Bornefeld-Ettmann wrote:
 rich...@buzzhost.co.uk schrieb:
  Is anyone else seeing an influx of spam with a zip attachment
  balancechecker.zip?
  
  This contains a windows executable, balancechecker.exe, which appears to
  be testing clean with clam and others.
  
  I'm inclined to think it's *not* clean and is viral.
  
  EXAMPLE
  http://pastebin.com/m730f90e9
  
  
 
 I really do not think it is clean. It really sounds like a typical bogus 
 mail.
 
 see also here : 
 http://www.sophos.com/blogs/gc/g/2009/11/13/email-vodafone-limit-credit-balance-beware/
 
It is now starting to get picked up and I can see that it was reported
at totalvirus on Friday. Yesterday it was passing many checkers as
clean, including CLAMAV - which by it's free nature - finds its way into
many gateway scanners.

This morning, however, is a different tale:

balancechecker.exe: Trojan.Zbot-6437 FOUND

--- SCAN SUMMARY ---
Known viruses: 649889
Engine version: 0.95.3
Scanned directories: 0
Scanned files: 1
Infected files: 1
Data scanned: 0.02 MB
Data read: 0.02 MB (ratio 1.00:1)
Time: 2.682 sec (0 m 2 s)

Re: DNSBL Comparison 20091114

2009-11-15 Thread Res


On Mon, 16 Nov 2009, rich...@buzzhost.co.uk wrote:


safe.  BRBL has a high hit rate as well, with a moderate safety rating.


Wondered why i wasn't getting anything from mysql.com for over a week, 
BRBL has them listed :)


--
Res

What does Windows have that Linux doesn't? - One hell of a lot of bugs!

DNSBL Comparison 20091114

Re: Good reasons to dont use RBLs

Re: DNSBL Comparison 20091114

Re: DNSBL Comparison 20091114

Re: DNSBL Comparison 20091114

Cluster/Clone spamassassin node

Re: Cluster/Clone spamassassin node

Re: DNSBL Comparison 20091114

Re: Cluster/Clone spamassassin node

Re: Cluster/Clone spamassassin node

Re: DNSBL Comparison 20091114

balancechecker.zip balancechecker.exe

Re: Cluster/Clone spamassassin node

Re: balancechecker.zip balancechecker.exe

Re: DNSBL Comparison 20091114

Re: DNSBL Comparison 20091114

Re: Good reasons to dont use RBLs

Re: DNSBL Comparison 20091114

Re: balancechecker.zip balancechecker.exe

Re: DNSBL Comparison 20091114

Re: balancechecker.zip balancechecker.exe

Re: DNSBL Comparison 20091114

22 matches

Site Navigation

Mail list logo

Footer information