Re: UCEPROTECT questions
Mariusz Kruk wrote: On Thu, 2009-11-26 at 23:20 +0100, Per Jessen wrote: I'm interested in people's opinion of UCEPROTECT. I'm aware of how it works, but even UCEPROTECT1 seems to catch an awful lot of ham, and I wondered if I was doing something wrong. Yes, UCEPROTECT seems to be just a big scam. A scam?? You'll have to explain that one in a bit more detail. They provide the data free of charge. Scam - something set up only to make money in not-very-fair way. That would seem to describe quite a few businesses I can think of :-) [snip] As usual, it's not UCEPROTECT you should be swearing at, it's the people who use it. Yes, Them too. But the whole schema of UCEPROTECT operation stinks. They add people to their blacklists with no clear rules standing behind it. This is all you get: http://www.uceprotect.net/en/index.php?m=3s=0 If I were to publish some of our internal data, you wouldn't get any clear information about how we collect it either. Such lists are a matter of trust and many people obviously trust UCEPROTECT. /Per Jessen, Zürich
Re: UCEPROTECT questions
On Fri, 2009-11-27 at 09:12 +0100, Per Jessen wrote: I'm interested in people's opinion of UCEPROTECT. I'm aware of how it works, but even UCEPROTECT1 seems to catch an awful lot of ham, and I wondered if I was doing something wrong. Yes, UCEPROTECT seems to be just a big scam. A scam?? You'll have to explain that one in a bit more detail. They provide the data free of charge. Scam - something set up only to make money in not-very-fair way. That would seem to describe quite a few businesses I can think of :-) I agree ;-) Sorry, english is not my native language so I can't be more precise without causing further confusion about the definition itself. [snip] As usual, it's not UCEPROTECT you should be swearing at, it's the people who use it. Yes, Them too. But the whole schema of UCEPROTECT operation stinks. They add people to their blacklists with no clear rules standing behind it. This is all you get: http://www.uceprotect.net/en/index.php?m=3s=0 If I were to publish some of our internal data, you wouldn't get any clear information about how we collect it either. Such lists are a matter of trust and many people obviously trust UCEPROTECT. In other words - you don't need to know, you don't want to know, you won't know. But it's not only that. It's the whole package. Every respectable RBL has _clear_ rules of 1. Listing 2. Escalation 3. Delisting. In case of UCEPROTECT it's 1. We list whomever we want 2. We escalate whenever we want. And we don't give a damn whether we block only a so-called spammer or a whole range of innocent people's networks. Or even whole ASN-s. 3. Give us your money! The whole webpage says 'we are very good in blocking spam' but they don't write about possible false positives, about which every responsible RBL should inform. The problem is not in the fact of running RBL as such. The problem is in misleading people to use this service and using it to gain advantage over people forcing them to pay money. Let me compare it to a website. If I run a small private website on which I write, let's say 'Tom Cruise is a neonazist', noone will probably notice. But if I run a tabloid and I write something like that, I'll get my ass sued-off. UCEPROTECT's case is similar - they try hard to be perceived as a respectable company so that people use their blacklists. And therefore raising the pressure on listed people to pay for delisting. Oh, and BTW, http://www.uceprotect.net/en/index.php?m=2s=0 See the 15th question's response. I don't know about you but for me 'anonymous circle of well-known people' seems kinda oxymoronic. And another BTW. I found a mailinglist discussion about UCEPROTECT in which you also took part (no, I wasn't looking for you :-) http://lists.swinog.ch/public/swinog/2008-January/002432.html Don't you think that manually adding someone to a blacklist (for free! *evil grin*) is tampering with it without clear rules? The guy with the autoresponder was surely causing some inconvenience but the proper response was to notify the list owner, not to add IP to the blacklist. -- [] [ k...@epsilon.eu.org ] [ http://epsilon.eu.org/ ] []
Re: UCEPROTECT questions
Mariusz Kruk wrote: Every respectable RBL has _clear_ rules of 1. Listing Hmm, I'm not so sure - how about spamcop, surbl, uribl, spamhaus? Their rules are exactly as clear or unclear as those of uceprotect. http://www.uceprotect.net/en/index.php?m=3s=3 I too _would_ like to know how the data is collected, coz' that would enable me to increase the scores (assuming I agree with the policy/method), but the policy as described are sufficient for me to use the data. The problem is not in the fact of running RBL as such. The problem is in misleading people to use this service and using it to gain advantage over people forcing them to pay money. How do you see UCEPROTECT misleading anyone? I think they're actually being more open/explicit about their policies than some providers I can think of. Oh, and BTW, http://www.uceprotect.net/en/index.php?m=2s=0 See the 15th question's response. I don't know about you but for me 'anonymous circle of well-known people' seems kinda oxymoronic. Not at all. I have a circle of friends that are well-known to me - when I don't tell everyone who they are, they are anonymous. And another BTW. I found a mailinglist discussion about UCEPROTECT in which you also took part (no, I wasn't looking for you :-) http://lists.swinog.ch/public/swinog/2008-January/002432.html Don't you think that manually adding someone to a blacklist (for free! *evil grin*) is tampering with it without clear rules? The guy with the autoresponder was surely causing some inconvenience but the proper response was to notify the list owner, not to add IP to the blacklist. Like I said in that thread, yes, I think that is a somewhat problematic practice - which is why I don't block with UCEPROTECT. /Per Jessen, Zürich
Re: UCEPROTECT questions
On Fri, 2009-11-27 at 10:31 +0100, Per Jessen wrote: Every respectable RBL has _clear_ rules of 1. Listing Hmm, I'm not so sure - how about spamcop, surbl, uribl, spamhaus? Their rules are exactly as clear or unclear as those of uceprotect. First of all, you have (for example on spamcop): The SCBL is an aggressive spam-fighting tool. By using this list, you can block a lot of spam, but you also may block or filter wanted email. Because of this limitation, one should strongly consider using the SCBL as part of a scoring system and explicitly whitelist wanted email senders (e.g., mailing lists and other IPs from which you want to receive email). and New users of the SCBL should read the description below and all other documentation carefully before deciding to use the SCBL But yes, some other RBL's have also unclear rules - I admit. Yet, the delisting is kinda different isn't it? Not to mention listing only single IP's, not whole ASN's! Yes, I use RBL's that list whole networks but only those being DUL's. And I know what I'm doing and why I'm doing this. The problem is not in the fact of running RBL as such. The problem is in misleading people to use this service and using it to gain advantage over people forcing them to pay money. How do you see UCEPROTECT misleading anyone? I think they're actually being more open/explicit about their policies than some providers I can think of. Come on. Read the main page on their website. We are the good knights in shining armors and they all are a bunch of liers. Or. For best results against spammers you will need to use all our Levels together Yes, I know that braindead admins who don't know what they're doing should get half the credit but that's how life is. And UCEPROTECT just abuses it. IMHO Oh, and BTW, http://www.uceprotect.net/en/index.php?m=2s=0 See the 15th question's response. I don't know about you but for me 'anonymous circle of well-known people' seems kinda oxymoronic. Not at all. I have a circle of friends that are well-known to me - when I don't tell everyone who they are, they are anonymous. 'well-known people' and 'people well-known by me' are two different statements. And another BTW. I found a mailinglist discussion about UCEPROTECT in which you also took part (no, I wasn't looking for you :-) http://lists.swinog.ch/public/swinog/2008-January/002432.html Don't you think that manually adding someone to a blacklist (for free! *evil grin*) is tampering with it without clear rules? The guy with the autoresponder was surely causing some inconvenience but the proper response was to notify the list owner, not to add IP to the blacklist. Like I said in that thread, yes, I think that is a somewhat problematic practice - which is why I don't block with UCEPROTECT. Yep, me neither, but I had some cases of dimwitted admins setting up UCEPROTECT RBL so I couldn't even contact the postmaster! (the whole /14 range my server is in is listed in level-2 - that's ridiculous). So I advice whenever I can that people _don't_ use UCEPROTECT. -- \/ | k...@epsilon.eu.org | | http://epsilon.eu.org/ | /\
Re: Problems sending Abuse mails to Twitter
On Thu, 26 Nov 2009, Ralph Bornefeld-Ettmann wrote: I could find your IP (82.113.106.21) on these lists : ... ... ... IP of your server (62.231.42.10) I found on these lists : blocked.secnap.net127.0.0.2 countries.nerd.dk 127.0.0.1 ips.backscatterer.org 127.0.0.2 Being 'suddenly rbl'ed seems also to happen if you create (mostly unknowing) lots of backscatter. So if your server was hit by a wave of bounces for a (faked) sender who FORWARDS AWAY from your server to e.g. google, hotmail, web.de ... Your server looks like a backscatter generator itself and the big hostes block it. We had this a few times already - (university scenario, lots of usrs forwarding their mail 'home', i.e. freehosters)´so some students addresses were abused as senders, backscatter begun streaming in, forwarded to hotmail (gogle, whatever), and they blacklisted us for 24h or even days. A while we had an (on ~4h / off 24h -- repeat at inf)-Scenario because during '24h-blocks the mail waited, then reenabled, then was seen as 'flooding' - blocked again 24h ... AND during these times we were definitely blocked from any electronic contact to the company - and of course no Phone Number given except 'User Support' (who does not even know, what an MTA might be). So dont' wonder, and may be don't forward fo a while (asking students to NOT forward did help - implementig one of tbe schemes to ALWAYS only send our OWN addresses even when forwarding, would have been better, but that's a completely different story) Stucki -- Christoph von Stuckrad * * |nickname |Mail stu...@mi.fu-berlin.de \ Freie Universitaet Berlin |/_*|'stucki' |Tel(Mo.,Mi.):+49 30 838-75 459| Mathematik Informatik EDV |\ *|if online| (Di,Do,Fr):+49 30 77 39 6600| Takustr. 9 / 14195 Berlin * * |on IRCnet|Fax(home): +49 30 77 39 6601/
Re: UCEPROTECT questions
Mariusz Kruk wrote: But yes, some other RBL's have also unclear rules - I admit. Yet, the delisting is kinda different isn't it? Yes, but that has not been a problem for me so far. As far as I can tell, the automatic process also works very well. - which is why I don't block with UCEPROTECT. Yep, me neither, but I had some cases of dimwitted admins setting up UCEPROTECT RBL so I couldn't even contact the postmaster! Yeah, there is no shortage of poorly configured mailservers - missing rDNS, no postmaster/abuse address, poor HELOs, even illegal IP-addresses on the internal networks. It's a sad state of affairs. (the whole /14 range my server is in is listed in level-2 - that's ridiculous). Now I understand your problem - I have 15 IP-addresses from that network on my internal list generated from spamtraps. The last one only three hours ago. /Per Jessen, Zürich
Re: UCEPROTECT questions
Alex wrote: I'm interested in people's opinion of UCEPROTECT. I'm aware of how it works, but even UCEPROTECT1 seems to catch an awful lot of ham, and I wondered if I was doing something wrong. On 26.11.09 23:09, Per Jessen wrote: Don't use UCEPROTECT for catching, only for scoring. well, there are some postmasters/hosts using even L2 and L3 at SMTP time for rejecting. We have ticket open where a host is rejecting your mail because IP in Received: is in backscatterer.org. Some people don't know what they are doing. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. They say when you play that M$ CD backward you can hear satanic messages. That's nothing. If you play it forward it will install Windows.
Re: which free RBL do you use?
On 26.11.09 17:12, Allen Chen wrote: I didn't touch my spamassassin server for almost one year. It's still running and filtering spam without any problems. But I think things are changed a lot. I'm using 3.2.4. So I am asking which free RBLs you guys are still using. first upgrade to 3.2.5. then run sa-update. THEN ask about RBLs. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Fighting for peace is like fucking for virginity...
Re: UCEPROTECT questions
Matus UHLAR - fantomas wrote: Alex wrote: I'm interested in people's opinion of UCEPROTECT. I'm aware of how it works, but even UCEPROTECT1 seems to catch an awful lot of ham, and I wondered if I was doing something wrong. On 26.11.09 23:09, Per Jessen wrote: Don't use UCEPROTECT for catching, only for scoring. well, there are some postmasters/hosts using even L2 and L3 at SMTP time for rejecting. I have no doubt there is. Doesn't change anything for uceprotect, imo. We have ticket open where a host is rejecting your mail because IP in Received: is in backscatterer.org. Yeah, I know (which ticket is this?) Some people don't know what they are doing. Too many, unfortunately. /Per Jessen, Zürich
Re: which free RBL do you use?
On Fri, 2009-11-27 at 12:27 +0100, Matus UHLAR - fantomas wrote: On 26.11.09 17:12, Allen Chen wrote: I didn't touch my spamassassin server for almost one year. It's still running and filtering spam without any problems. But I think things are changed a lot. I'm using 3.2.4. So I am asking which free RBLs you guys are still using. first upgrade to 3.2.5. then run sa-update. THEN ask about RBLs. That would be DNSBL's. RBL is a registered trademark AFAIR.
Re: UCEPROTECT questions
Alex wrote: I'm interested in people's opinion of UCEPROTECT. I'm aware of how it works, but even UCEPROTECT1 seems to catch an awful lot of ham, and I wondered if I was doing something wrong. On 26.11.09 23:09, Per Jessen wrote: Don't use UCEPROTECT for catching, only for scoring. Matus UHLAR - fantomas wrote: well, there are some postmasters/hosts using even L2 and L3 at SMTP time for rejecting. On 27.11.09 12:56, Per Jessen wrote: I have no doubt there is. Doesn't change anything for uceprotect, imo. We have ticket open where a host is rejecting your mail because IP in Received: is in backscatterer.org. Yeah, I know (which ticket is this?) Some people don't know what they are doing. Too many, unfortunately. I'm only saying that anyone publishing a RBL SHOULD know what is he doing and that some people apparently will use it for anything therefore (s)he should be carefull enough about publishing it. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Save the whales. Collect the whole set.
Re: which free RBL do you use?
On 26.11.09 17:12, Allen Chen wrote: I didn't touch my spamassassin server for almost one year. It's still running and filtering spam without any problems. But I think things are changed a lot. I'm using 3.2.4. So I am asking which free RBLs you guys are still using. On Fri, 2009-11-27 at 12:27 +0100, Matus UHLAR - fantomas wrote: first upgrade to 3.2.5. then run sa-update. THEN ask about RBLs. On 27.11.09 12:19, rich...@buzzhost.co.uk wrote: That would be DNSBL's. RBL is a registered trademark AFAIR. Why do you tell me? Tell the OP, I just have used the same terminology. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. A day without sunshine is like, night.
Re: which free RBL do you use?
On Fri, 2009-11-27 at 14:03 +0100, Matus UHLAR - fantomas wrote: Why do you tell me? Tell the OP, I just have used the same terminology. Matus, why are you once more sending me off list replies? Again, will you *please* keep your replies *ON LIST*. I pointed out that RBL is trademark just to be an anal pedant. I'm incredibility surprised that *you* missed the opportunity given your track record if *I* were to do it.
Re: which free RBL do you use?
On Thursday, November 26, 2009, 4:12:57 PM, Allen Chen wrote: AC I didn't touch my spamassassin server for almost one year. It's AC still running and filtering spam without any problems. But I AC think things are changed a lot. I'm using 3.2.4. So I am asking AC which free RBLs you guys are still using. While it's not free for larger volume/commercial use, Spamhaus ZEN (which includes the SBL, XBL, PBL, and now CSS DNSBLs) has been invaluable here. I've always scored on ZEN, but recently I began moving clients to a newer server where I am enforcing SMTP authentication. As a result, I am now able to block based on PBL listings. This alone has blocked about 80% of the spam outright at the SMTP session level that was previously coming in and then being filtered by SpamAssassin as well as ClamAV. -- Best regards, Robert Braver rbra...@ohww.norman.ok.us
Re: which free RBL do you use?
On fre 27 nov 2009 16:47:54 CET, rich...@buzzhost.co.uk wrote Matus, why are you once more sending me off list replies? Again, will you *please* keep your replies *ON LIST*. priceless reply-to -- xpoint
Re: which free RBL do you use?
On Fri, 2009-11-27 at 17:17 +0100, Benny Pedersen wrote: On fre 27 nov 2009 16:47:54 CET, rich...@buzzhost.co.uk wrote Matus, why are you once more sending me off list replies? Again, will you *please* keep your replies *ON LIST*. priceless reply-to Priceless indeed. Everybody else can manage *not* to do it - even you.
Need help running SA in a (comparative) anti-spam test
All, a few months back, there was a discussion on this list about the VBSpam comparative anti-spam tests[1], in which SpamAssassin performed significantly worse than many commercial products. Now I run these tests and I believe something was the matter with (the installation of) SA that made it perform so badly. For understandable reasons, none of the developers had time to help me set it up well for our test, so we decided to withdraw it for the time being. I would still love to have the product back in the test. The test is paid-for, but free for free, open source products and we made that decision because we really wanted to have SA and others in the test. Now some people offered on this list to help me and that is why I'm writing this email -- Justin is happy for the community to help me. If there are people who are willing to help me set up SA so that it runs in ideal circumstances for our test, could they reply to me off-list[2] at this address or, even better, at martijn.groo...@virusbtn.com. A couple of things: - the main MTA for the test runs Qpsmtpd[3] on SUSE Linux Enterprise Server 11 and SA is run as a Qpsmtd-plugin; - from what is seems, all that SA was (and is) doing is doing some heuristic checks on the body of the email, which makes it catch about 50% of spam, with relatively many (several per cents) false positives; it checks every hour or so for updates, but these are rarely found; - I'm happy to add any extensions as long as these are also free and open source -- note that our 'target audience' includes big ISPs and unfortunately for them things as Spamhaus's RBL aren't free; - we don't white-list good senders (or blacklist bad ones) in any product, nor do we give 'feedback' to the products[4]; - I won't include SA in the test before the developers are happy with it being included: I know that some of the above rules might disproportionally disadvantage SA, so I would understand if they were to decide they wouldn't want it to be included. It is not in our intention to make SA look bad! Thanks. Martijn. [1] http://www.virusbtn.com/vbspam [2] but, because I hate people who post once and ask to be contacted off-list, I will keep checking the list too! [3] http://smtpd.develooper.com/ [4] we do give generic feedback to developers though: e.g. hey, you blocked a lot of newsletters, or you missed a lot of spam in Japanese. In the end of the day, the goal of our test is to make products better.
Re: which free RBL do you use?
Robert Braver wrote: On Thursday, November 26, 2009, 4:12:57 PM, Allen Chen wrote: AC I didn't touch my spamassassin server for almost one year. It's AC still running and filtering spam without any problems. But I AC think things are changed a lot. I'm using 3.2.4. So I am asking AC which free RBLs you guys are still using. While it's not free for larger volume/commercial use, Spamhaus ZEN (which includes the SBL, XBL, PBL, and now CSS DNSBLs) has been invaluable here. I've always scored on ZEN, but recently I began moving clients to a newer server where I am enforcing SMTP authentication. As a result, I am now able to block based on PBL listings. This alone has blocked about 80% of the spam outright at the SMTP session level that was previously coming in and then being filtered by SpamAssassin as well as ClamAV. Thanks for all the replies. yes, RBL, I mean DNSBL. Also I heard that configuring DNSBL in sendmail is better than in spammassassin. because this can release some loads on spamassassin. Am I right? Next, I'm going to upgrade spamassassin to 3.2.5 and try to configure sendmail to check DNSBL. I will try bl.spamcop.net first in sendmail. Your inputs are welcome. I'm looking for some free DNSBLs. We are non-profit organization and don't have too much email traffic. Allen
Re: which free RBL do you use?
On fre 27 nov 2009 18:08:23 CET, Allen Chen wrote DNSBLs. We are non-profit organization and don't have too much email traffic. install bind, check spamhaus dnsbl in sendmail, add more internal spam tests in sendmail, dont add to much dnsbl in sendmail, and i have found spamcop is more for spamassassin not for mta, but imho zen is mta safe rule of thump is dont use dns forwards, use localhost, with do hint glue ns finding for you and spreed load over more then usely your isp 2 nameservers as obama says, yes you can :) -- xpoint
Re: which free RBL do you use?
On Friday, November 27, 2009, 11:08:23 AM, Allen Chen wrote: AC Thanks for all the replies. yes, RBL, I mean DNSBL. Also I heard AC that configuring DNSBL in sendmail is better than in AC spammassassin. because this can release some loads on AC spamassassin. Am I right? For some DNSBLs, yes. For others, you want to allow SpamAssassin to score them. As long as you are bypassing DNSBL checks for authenticated clients, you can safely block everything at SMTP session level with ZEN. In turn, I disable the Spamhaus ZEN checks in SA, as there's no point in querying ZEN twice when everything that shows up there is bloked before it gets to SA. AC Next, I'm going to upgrade spamassassin to 3.2.5 and try to AC configure sendmail to check DNSBL. I will try bl.spamcop.net AC first in sendmail. Your inputs are welcome. I'm looking for some AC free DNSBLs. We are non-profit organization and don't have too AC much email traffic. Your organization should be free to use the Spamhaus DNSBLs at no charge. I personally do not block on bl.spamcop.net, but it does add a score of 2.0 in SA. -- Best regards, Robert Braver rbra...@ohww.norman.ok.us
Re: Need help running SA in a (comparative) anti-spam test
Martijn, I may be missing something here but I went to your website and you use the terms malware and spam interchangeably. Now, it may be true that these days in the commercial realm that the antivirus vendors are all jumping into the anti-spam market to enhance revenue, but in reality, viruses are a subset of spam. It may be true that most commercial antispam products are in reality, full-meal-deal products that do both virus and spam filtering, but SpamAssassin is not, and was never intended to be. SA isn't going to guarantee to capture viruses, it doesn't even try to capture viruses. It tries to identify spam - and there's a lot more spam out there than virus-laden e-mail. When a mail message has a virus, or has a link to a virus, it's possible to make a black-and-white decision on that message. But it's not possible to make a black and white decision on spam. What's one man's spam is another man's ham. You have to run SA in conjunction with a virus scanner - probably the most common one people use is clamAV - for it to be any good as a full meal deal solution. Further, use of blacklists is a significant difference as well. These commercial full-meal-deal products your comparing have 5 possible components that could be present in them to filter spam (what is actually there is not known since commercial products don't disclose source): 1) a private blacklist run by the vendor that's checked for each message and distributed to each installation of product. 2) Access to free public blacklists that can also be used for checking. 3) A database of viruses in the product that's checked for each message. 4) some heuristic checks on the body of the email within the poduct. 5) Reporting back questionable, identified-as-possibly-spam-but-I -don't know for certain- e-mails to a master server for further analysis, or possible comparison to a known database of spam held by the vendor I'm not saying all commercial full-meal-deal products have all 5 of these components, just that they MIGHT - and there's no way to know unless the source is published. The fact that SA, alone, was able to get 50% based on heuristic checks on the body of the email only, compared to these commercial products which have such a vast possible advantage is simply stunning, when you put it in perspective. In your test installation: SA didn't virus scan SA didn't use any private blacklists SA didn't use any public blacklists SA didn't pass questionables to a more authoritative vendor-owned mainframe for scanning And yet, it still got 50% of them. I don't call that poor performance. SA had 4 of it's 5 hands tied behind it's back in your test and still got halfway there. Untie 1 or 2 more and make it an apples-to-apples comparison and it will be kicking those commercial full-meal-deal product's asses around the block Ted Martijn Grooten wrote: All, a few months back, there was a discussion on this list about the VBSpam comparative anti-spam tests[1], in which SpamAssassin performed significantly worse than many commercial products. Now I run these tests and I believe something was the matter with (the installation of) SA that made it perform so badly. For understandable reasons, none of the developers had time to help me set it up well for our test, so we decided to withdraw it for the time being. I would still love to have the product back in the test. The test is paid-for, but free for free, open source products and we made that decision because we really wanted to have SA and others in the test. Now some people offered on this list to help me and that is why I'm writing this email -- Justin is happy for the community to help me. If there are people who are willing to help me set up SA so that it runs in ideal circumstances for our test, could they reply to me off-list[2] at this address or, even better, at martijn.groo...@virusbtn.com. A couple of things: - the main MTA for the test runs Qpsmtpd[3] on SUSE Linux Enterprise Server 11 and SA is run as a Qpsmtd-plugin; - from what is seems, all that SA was (and is) doing is doing some heuristic checks on the body of the email, which makes it catch about 50% of spam, with relatively many (several per cents) false positives; it checks every hour or so for updates, but these are rarely found; - I'm happy to add any extensions as long as these are also free and open source -- note that our 'target audience' includes big ISPs and unfortunately for them things as Spamhaus's RBL aren't free; - we don't white-list good senders (or blacklist bad ones) in any product, nor do we give 'feedback' to the products[4]; - I won't include SA in the test before the developers are happy with it being included: I know that some of the above rules might disproportionally disadvantage SA, so I would understand if they were to decide they wouldn't want it to be included. It is not in our intention to make SA look bad! Thanks. Martijn. [1]
Re: Need help running SA in a (comparative) anti-spam test
Martijn Grooten wrote: - I'm happy to add any extensions as long as these are also free and open source -- note that our 'target audience' includes big ISPs and unfortunately for them things as Spamhaus's RBL aren't free; I'm not in any way trying to jump on what you're trying to do as I firmly believe SpamAssassin can be every bit as effective, if not more so, than any commercial product in fighting spam. However, I would just like to raise one point - perhaps others can comment as to the technical correctness, but I was under the impression that the Spamhaus (and other) DNSBLs are enabled as part of the default SpamAssassin install (and weighted scoring system), so if you disable these tests because they are not free to larger volume users then you are not really testing the default product, but one in which you have disabled some of the more effective constituent parts. This IMHO would put SpamAssassin at a considerable disadvantage. To give an analogy you might be more familiar with, it's a bit like you testing an antivirus product but saying we're not going to use any signatures as these aren't free (they require a paid subscription), so will only use heuristics and then wondering why said AV product only catches 50% of your sample viruses :-/ Personally, I'd rather see you test SpamAssassin with DNSBLs such as Spamhaus enabled as per a default installation, and note that such a configuration is only free for users producing less than 100,000 queries per day (or whatever Spamhaus' current limitations are). I assume the other commercial products in your tests are tested in their default configurations?
Re: Undisclosed recipients :; -- again
John Hardin wrote: On Mon, 23 Nov 2009, LuKreme wrote: On Nov 23, 2009, at 12:05, Philip Prindeville philipp_s...@redfish-solutions.com wrote: I want to block all messages that I'm getting that have: To: undisclosed recipients: ; undisclosed recipients is used for Bcc: mail I used it all the time. And you WILL 'block' legitimate mail. Granted, but in metas such a test can be useful: http://ruleqa.spamassassin.org/?rule=%2FTO_NOsrcpath=jhardin Speaking of tests, I saved out some messages that should have matched my rule but didn't into files, and ran them against spamassassin as: spamassassin -D /tmp/emails/XXX.eml and I saw: [28655] dbg: rules: ran header rule __L_UNDISCLOSED2 == got hit: negative match for the ruleset: header __L_UNDISCLOSED1 To:raw =~ /undisclosed-recipients: ;/ header __L_UNDISCLOSED2 Cc =~ /^$/ meta L_UNDISCLOSED (__L_UNDISCLOSED1 __L_UNDISCLOSED2) describe L_UNDISCLOSED To: list is meaningless and no Cc: score L_UNDISCLOSED 10.0 but didn't see __L_UNDISCLOSED1 match. Also, what does negative match mean? That it didn't match? Lots of other rules (like __L_UNDISCLOSED1) didn't match, but I didn't see debug for those... Just how do I go about figuring out what the To:raw value is (for example)? Thanks, -Philip
Re: Need help running SA in a (comparative) anti-spam test
Hi, - I'm happy to add any extensions as long as these are also free and open source -- note that our 'target audience' includes big ISPs and unfortunately for them things as Spamhaus's RBL aren't free; Do the commercial vendors get to use publically-available DNSBLs like zen? If so, and since they use them for commercial purposes, do they license its use in cases such as for this bake-off? How does zen compare with the commercial DNSBLs that the commercial vendors have themselves and we don't have access to? Thanks, Alex
Re: Undisclosed recipients :; -- again
On Fri, 27 Nov 2009, Philip A. Prindeville wrote: header __L_UNDISCLOSED1 To:raw =~ /undisclosed-recipients: ;/ Just how do I go about figuring out what the To:raw value is (for example)? header __TO_RAW To:raw =~ /.+/ If you're analyzing something that may have multiple occurrences, you'll need a tflags multiple: body__ALL_BODY /.+/ tflags __ALL_BODY multiple -- John Hardin KA7OHZhttp://www.impsec.org/~jhardin/ jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 --- Bother, said Pooh as he struggled with /etc/sendmail.cf, it never does quite what I want. I wish Christopher Robin was here. -- Peter da Silva in a.s.r --- 28 days until Christmas
Re: Undisclosed recipients :; -- again
John Hardin wrote: On Fri, 27 Nov 2009, Philip A. Prindeville wrote: header __L_UNDISCLOSED1 To:raw =~ /undisclosed-recipients: ;/ Just how do I go about figuring out what the To:raw value is (for example)? header __TO_RAW To:raw =~ /.+/ If you're analyzing something that may have multiple occurrences, you'll need a tflags multiple: body__ALL_BODY /.+/ tflags __ALL_BODY multiple Interesting, thanks: [31209] dbg: rules: ran header rule __TO_RAW == got hit: undisclosed recipients: ;_ wondering why it contains the leading space, and what the trailing underscore is for... On a side node, I never figured out why I see: [31209] warn: plugin: failed to parse plugin (from @INC): syntax error at (eval 43) line 1, near require Mail::SpamAssassin: This seems to be a known issue. What's the fix?
