Re: RDNS_NONE

[Ned Slider]

Karsten Bräckelmann wrote:

On Fri, 2010-03-12 at 22:57 +, Christian Gregoire wrote:

Using SA 3.3.0. Any reason why RDNS_NONE now scores 1.3, when it was
down to 0.1 with the previous releases ?


The score was pretty much informational only previously and arbitrarily
set. The current score is what the mass-checks and GA result in.



Interesting. I had bumped the score to 1.0 in 3.2.5 based on my 
observations here so looks like I wasn't too far off :-)

Re: return-path program

[Ramprasad]

Alexandre Chapellon wrote:

Hello,

I would like to know if someone here is part of the returnpath.net 
(http://www.returnpath.net/emailserviceprovider/certification/) 
certification program?

Sender certification usually is unnecessary unless you send mails in bulk.
For bulk mailers, any certification program would work only if you 
maintain strictly opt-in mailing.
You could easily go their site and ask for info , the guys at returnpath 
will get back to you.

Does it really increase deliverability of email and to which MSP?
Yes getting certified definitely increases deliverability. (Yahoo , 
Hotmail , Msn .. Even spamassassin by default scores certified mails as 
non-spam.)


What are the necessary steps to get into that program and is it free 
or do I have to pay something?



Obviously there is a certification fee.
BTW  If you are already a "good sender" I dont know if you really 
require certification, if your arent then you wont qualify for 
certification :-)


Thanks
Ram

Re: RDNS_NONE

[Benny Pedersen]

On lør 13 mar 2010 03:02:32 CET, Michelle Konzack wrote

The below headers trigger the rule only because the remote LAN SMTP
client, with IP 10.10.3.3, has no rDNS.
I'd rather say, for example, 1.3 for the last gateway, and 0.1 for the
others.

Maybe you tell your MTA to trust your own network and bypass SA?


trusted_networks 10.0.0.0/8

or add the ip to /etc/hosts so it resolve local

is this still not a FAQ ? :-)

--
xpoint http://www.unicom.com/pw/reply-to-harmful.html

Re: Bogus mails from hijacked accounts

[Benny Pedersen]

On lør 13 mar 2010 02:14:02 CET, Michelle Konzack wrote


The roblem is, accourding to the RFCs, ISP must have an  address,
but do you have ever tried this with a corporated domain?
Even  is rejected on most domains.


report them on rfc-ignorant.org


Ome tim ago we had a problem on a bnch of  Debian  mailinglists  with  a
 and after the ISP was not responsive, I  have  spidered
theire WHOLE Website for corporated E-Mail addresses and put any of them
in the Cc: of my ABUSE autoresponder...  which normaly forward this crap
only to the right  addresses...


this is only the webside owner, not his hoster


After geting arround 1800 spams over the Debian mailinglists which where
multiplid by the factor 37 by me with a friendly text for the recipients
to contact there collegous to stop theire spaming customer


way to go there


Arround 2 days later the offenting customers domain  was  offline  after
more then one year of spaming.


super


I think, my 37 x 1800 abuse mails have hit the nerv of someone!


corp with did no log scan


The problem is now, such idiots require heavy manual intervention.


from.pm solves it for me

--
xpoint http://www.unicom.com/pw/reply-to-harmful.html

Re: Hidden Dir in URI

[John Hardin]

On Mon, 8 Mar 2010, Ned Slider wrote:


John Hardin wrote:

 On Mon, 8 Mar 2010, Ned Slider wrote:
> 
>  So I've refined the rule to specifically exclude hitting on the 
>  sequence ../. which stops the rule triggering on multiple relative 
>  paths.
> 
>  uriLOCAL_URI_HIDDEN_DIR/(?!.{6}\.\.\/\..).{8}\/\../


 How about:

 uri LOCAL_URI_HIDDEN_DIRm;.{8}/\..(?!/);


Yes, that works too on my examples and is probably a more elegant 
solution than mine :-)


John - are you able to try this rule in your sandbox and do mass checks? 
I'd be interested to see how it scores.


It took a little more work to generate a clean rule and it's somewhat more 
complex than the above.


uri  URI_HIDDEN_2  m;.{8}(?:[/\\]|%(?i:5c|2f))(?!\.\.?[/%\\])\..;

Winders generates (and accepts) URIs with backslashes as directory 
separators (in violation of the URI RFC? I'll have to look) and URIs can 
have encoded directory separators (e.g. %2F).


A comparison between the older version that hits on /../ and the version 
that does not shows the somewhat counterintuituve result that hitting on 
/../ gives marginally better results (at least, as far as ruleqa is 
concerned). Sure, it's not _really_ a hidden directory, but it has false 
hits on spam to a greater degree than it does on ham, so the S/O ratio is 
better and the overall hits are higher...


http://ruleqa.spamassassin.org/?rule=%2FURI_HIDDEN

--
 John Hardin KA7OHZhttp://www.impsec.org/~jhardin/
 jhar...@impsec.orgFALaholic #11174 pgpk -a jhar...@impsec.org
 key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
---
  Failure to plan ahead on someone else's part does not constitute
  an emergency on my part. -- David W. Barts in a.s.r
---
 Tomorrow: Daylight Saving Time begins in U.S. - Spring Forward

Re: Hidden Dir in URI

[Ned Slider]

John Hardin wrote:

On Mon, 8 Mar 2010, Ned Slider wrote:


John Hardin wrote:

 On Mon, 8 Mar 2010, Ned Slider wrote:
> >  So I've refined the rule to specifically exclude hitting on the 
>  sequence ../. which stops the rule triggering on multiple relative 
>  paths.

> >  uriLOCAL_URI_HIDDEN_DIR/(?!.{6}\.\.\/\..).{8}\/\../

 How about:

 uri LOCAL_URI_HIDDEN_DIRm;.{8}/\..(?!/);


Yes, that works too on my examples and is probably a more elegant 
solution than mine :-)




Having done a little more testing, I can confirm this variant is more 
accurate than my revision above.




It took a little more work to generate a clean rule and it's somewhat 
more complex than the above.


uri  URI_HIDDEN_2  m;.{8}(?:[/\\]|%(?i:5c|2f))(?!\.\.?[/%\\])\..;

Winders generates (and accepts) URIs with backslashes as directory 
separators (in violation of the URI RFC? I'll have to look) and URIs can 
have encoded directory separators (e.g. %2F).




and your latest revision (above) performs as expected on my small 
collection of hidden_dir ham/spam, hitting on all the spam and missing 
the potential FPs (containing relative paths etc). I'm currently running 
both rules for further comparative testing.


A comparison between the older version that hits on /../ and the version 
that does not shows the somewhat counterintuituve result that hitting on 
/../ gives marginally better results (at least, as far as ruleqa is 
concerned). Sure, it's not _really_ a hidden directory, but it has false 
hits on spam to a greater degree than it does on ham, so the S/O ratio 
is better and the overall hits are higher...


http://ruleqa.spamassassin.org/?rule=%2FURI_HIDDEN



Interesting and indeed not what one might expect.

Re: Bogus mails from hijacked accounts

[Michelle Konzack]

Good evening,

Am 2010-03-13 14:46:35, schrieb Benny Pedersen:
> report them on rfc-ignorant.org

I know it, but the way you have to report it is to long...

> >Ome tim ago we had a problem on a bnch of  Debian  mailinglists  with  a
> > and after the ISP was not responsive, I  have  spidered
> >theire WHOLE Website for corporated E-Mail addresses and put any of them
> >in the Cc: of my ABUSE autoresponder...  which normaly forward this crap
> >only to the right  addresses...
> this is only the webside owner, not his hoster

Oops, I mean, I have send the messages to the hoster which is the bigest
ISP  of  Bresil  since  ANY  messages  tofailed  and
 was not responsive.

So, writing to ANY employees of a hoster will hopefuly work.
It is nearly impossibel that 100% of the staff is incompetent.

> >I think, my 37 x 1800 abuse mails have hit the nerv of someone!
> corp with did no log scan

ACK!  --  Unfortunately I know many of them.

> >The problem is now, such idiots require heavy manual intervention.
> from.pm solves it for me

Unfortunately the tries of the Debian Listmasters to
contact  whee not succesfull.

Sometimes it requires the HAMMER method.

Thanks, Greetings and nice Day/Evening
Michelle Konzack
Systemadministrator
24V Electronic Engineer
Tamay Dogan Network
Debian GNU/Linux Consultant

-- 
Linux-User #280138 with the Linux Counter, http://counter.li.org/
# Debian GNU/Linux Consultant #
 Michelle Konzack
   Apt. 917
   50, rue de Soultz
Jabber linux4miche...@jabber.ccc.de   67100 Strabourg/France
IRC#Debian (irc.icq.com)  Tel. DE: +49 177 9351947
ICQ#328449886 Tel. FR: +33  6  61925193


signature.pgp
Description: Digital signature

Re: RDNS_NONE

[RW]

On Sat, 13 Mar 2010 10:09:33 +
Ned Slider  wrote:

> Karsten Bräckelmann wrote:
> > On Fri, 2010-03-12 at 22:57 +, Christian Gregoire wrote:
> >> Using SA 3.3.0. Any reason why RDNS_NONE now scores 1.3, when it
> >> was down to 0.1 with the previous releases ?
> > 
> > The score was pretty much informational only previously and
> > arbitrarily set. The current score is what the mass-checks and GA
> > result in.
> > 
> 
> Interesting. I had bumped the score to 1.0 in 3.2.5 based on my 
> observations here so looks like I wasn't too far off :-)

Maybe, but probably not. The absence of reverse dns is a pretty strong
spam indicator, but unfortunately  the rule can't distiguish between
the absence of rdns and a server that doesn't record it. Unless they
removed all the latter from the test corpora, the value is likely to be
a compromise that isn't really right for anyone.

Re: My First Spam Mail Today

[Carlos Mennens]

Karsten,

You're correct in they both have scores. I was not paying close
attention to the headers and also you're correct about my confusion
with defualt SA headers and Amavisd-new headers. I didn't realize
Amavisd used custom SA headers for messages.

Thanks for clarifying this!

-Carlos

On 3/12/10, Karsten Bräckelmann  wrote:
> On Fri, 2010-03-12 at 14:28 -0500, Carlos Mennens wrote:
>> I guess I am still lost. SA appears to be working and everything looks
>> fine however my emails don't appear to be getting a score and I don't
>> understand how that link applies to why SA isn't setting a score on my
>> messages when it is clearly passing mail to and from Postfix.
>>
>> My headers look like:
>>
>> X-Spam-Checker-Version: SpamAssassin 3.3.0 (2010-01-18) on
>> mail.iamghost.com
>> X-Spam-Level: *
>> X-Spam-Status: No, score=1.0 required=6.3
>>  tests=EXTRA_MPART_TYPE,HTML_MESSAGE autolearn=no version=3.3.0
>
> The default SA headers.
>
>> The above snipper shows no score as I would expect to see below from a
>> different server:
>>
>> X-Spam-Flag: NO
>> X-Spam-Score: -1.15
>> X-Spam-Level:
>> X-Spam-Status: No, score=-1.15 tagged_above=-999 required=5
>> tests=[BAYES_00=-2.599, MSGID_MULTIPLE_AT=1.449] autolearn=no
>
> Headers based on the SA analysis, but NOT added by SA but a third-party
> glue application that itself calls SA. Amavisd in this case.
>
>> Am I missing something in my local.cf that is not properly scoring all
>> incoming messages?
>
> You really are confused about the word "score", aren't you? Check both
> headers again, and you'll notice they both clearly show a score. The
> total score the message... scored. ;)
>
> The latter, the Amavisd headers, *additionally* show each rule's score
> in the tests section. Any chance that tiny, merely cosmetic difference
> is what you are after? And perceive as "missing scores"?
>
>
> If so, you can customize the SA headers (as added by SA), to look more
> like the Avamisd ones. In particular, there are Template Tags showing
> rules hit plus their respective scores...
>
>
> --
> char
> *t="\10pse\0r\0dtu...@ghno\x4e\xc8\x79\xf4\xab\x51\x8a\x10\xf4\xf4\xc4";
> main(){ char h,m=h=*t++,*x=t+2*h,c,i,l=*x,s=0; for (i=0;i c<<=1:
> (c=*++x); c&128 && (s+=h); if (!(h>>=1)||!t[s+h]){ putchar(t[s]);h=m;s=0;
> }}}
>
>

-- 
Sent from my mobile device